EXHIBIT C-2 

EXEMPLARY PORTIONS OF PRIOR ART THAT TEACH OR SUGGEST EACH 
ELEMENT OF THE ASSERTED '661 CLAIMS 
PATENT L.R. 3-3(C) 



Claim 1 C661 Patent) 


5^549^94 to Griffin ct aL rCriffin'*) 


A cryptographic 
processing device for 
securely performing a 
cr)'ptographic processing 
operation including a 
sequence of instructions in 
a manner resistant to 
discovery of a secret by 
external monitoring, 
comprising: 


1:11-14- "The present invention generally pertains to data 
processing and is particularly directed to preventing compromise of 
secure data processing routines by a procedure known as a 'clock 
attack'." 

1 :29-34 - "An 'observable external event' is defined as any internal 
state transition that manifests itself externally, including but not 
limited to a change in voltage or current at any pin or combination 
of pins which is related to or affected by internal processor 
execution." 

2:37-47 - "The present invention ftirlher provides a data processing 
system, comprising means for executing a predetermined data 
processing routine^ wherein a observable external event occurs in 
relation to execution of said predetermined routine; and means for 
randomly varying the duration between the occurrence of the 
observable external event and the execution of the predetermined 
routine to thereby prevent the time of execution of the 
predetermined data processing routine from being determined in 
relation to the occurrence of the observable external event." 

3:4-22 - *The preferred embodiments of the present invention are 
implemented in a secure microprocessor having a secure memory, a 
nonsecure memory and a secure central processing unit (CPU). 
Both memories may include both a random access memory (RAM) 
and a read only memory (ROM). The term -secure' indicates 
external inaccessibility. Referring to Figure 1, in one preferred 
embodiment of the present invention, a CPU 10 executes a group of 
data processing routines . . , in resTx>nse to instructions (code) 
accessed from a ROM 18; and further executes a maze of interim 
routines . . . assembled in response to instructions accessed from a 
secure RAM 24." 

3:27-31 ~ "In order to prevent a predetermined protected routine 
ROUTINE N from being synchronized with the observable external 
event that repetitively precedes the protected routine ROUTINE N, 
the BRANCH routine 12 causes the CPU 10 to branch to the maze 
of m interim routines INTERIM ROUTINE 1, INTERIM 
ROUTINE 2, . INTERIM ROUTINE m," 
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8:1-22 - "The interim routine of Figure 5 includes the following 
subroutines, START, INITlALIZATiON, iTH BIT OF X - 1?, SET 
iTH BIT OF Y TO 1, INCREMENT i, i > WORD SIZE OF 
SOURCE DATA?, DESTINATION DATA = Y 0 SOURCE 
DATA, WRITE NEW SECURE DATA, AND EXIT After the 
START subroutine 72, Uie CPU executes the INITIALIZATION 
subroutine 73, during which a register X is loaded vvith the result of 
the dynamic SOURCE DATA being XORed with SECURE DATA 
accessed from a secure RAM, a register Y is set to zero, and a 
counter i is set to zero/' 

9:31-35 ~ *'The method and system of the present invention are 
particularly suited for implementation in a microprocessor that 
controls descrambling of scrambled information signals by a 
descrambler in the possession of a subscriber in a subscriber 
communication network." 

Claim 19 - means for randomly varymg the duration ot said 
interim routines to thereby vary the duration between the 
occurrence of the externally observable event and the execution of 
the predetermined routine in order to prevent the time of execution 
of the predetermined data processing routine from being determined 
in relation to the occurrence of the externally obser\'able event" 

Figures 1, 4. 


(a) an input interface for 
receiving a quantity to 
be cryptographically 
processed, said quantity 
being representative of 
at least a portion of a 
message; 


1:11-14- "The present invention generally pertains to data 
processing and is particularly directed to preventing compromise of 
secure data processing routines. . . 

1 :29-34 - "An ^observable external event' is defined as any internal 
state transition thai manifests itself externally, including but not 
limited to a change in voltage or current at any pin or combination 
of pins which is related to or alTected by internal processor 
execution." 

9:31-35 - "The method and system of the present invention are 
panicuiany suneu lor impienieniauon in a microprocessor tnat 
controls descrambling of scrambled information signals by a 
descrambler in the possession of a subscriber in a subscriber 
communication network." 

Figures 1, 4, 

See also John F. Wakerly, Microcomputer Architbcture and 
PROGRAM.MING; THE 68000 Famh.y, John Wiley & Sons, Inc., New 
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York, 1997 at 6-7. 


(b) a source of 

unpredictable 

information; 


4:8-16 " The random clock-cycle numbers are provided in the 
different portions of the secure RAM 24 from which the 
instructions for the different interim routines are accessed, fhe 
random clock-cycle numbers may be provided in the RAM 24 in 
response to a signal produced by a physically (truly) random 
phenomena, such as a noisy diode, or in response to a 
pseudorandom device, such as a pseudorandom number generator." 

6:53-58 - "The n interim routines have different durations; and the 
selection and sequence of the m interim routines that are assembled 
for execution during a given data processing sequence is randomly 
varied from one sequence to the next in order to make the total 
duration of the interim routines a random variable." 

7:8-1 8 "The pointers 67, 68, 69 are fixed but the selection and 
sequence of the m pointers that are accessed during a given data 
processing sequence is randomly varied from one overall data 
processing cycle to the next in order to make the total duration of 
the interim routines a random variable. The selection and sequence 
of the m pointers is provided during each overall data processing 
cycle in response to a signal produced by a physically (truly) 
random phenomena, such as a noisy diode, or in response to a 
pseudorandom device, such as a pseudorandom number generator." 


(c) a processor: 


3:11-17'- "Referring to Figure 1 , in one preferred embodiment of 
the present invention, a CPU 10 executes a group of data processing 
routines ... in response to instructions (code) accessed from a 
ROM 18.., " 


(i) connected to said 
input interface for 
receiving and 
cryptographically 
processing said 
quantity. 


3:11-17- "Referring to Figure 1 , in one preferred embodiment of 
the present invention, a CPU 10 executes a group of data processing 
routines ... in response to instructions (code) accessed from a 
ROM 18..." 

See also John F. Wakerly, MICROCOMPUTER ARCHITECTURE AND 
Programming; The 68000 Famh.y, John Wiley & Sons, Inc., New 
York, 1997 at 6-7 (any useful computer must be connected to 

peripherals such as 1/0), 


(ii) configured to use 
said unpredictable 
information to conceal 
a correlation between 
externally monitorable 
signals and said secret 


! :29-34 ~ "An 'observable external event' is defined as any internal 
state transition that manifests itself externally, including but not 
limited to a change in voltage or current at any pin or combination 
of pins which is related to or affected by internal processor 

execution.'' 
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during said processing 1 :54-2:2 - "In one aspect of the present invention, step (a) includes 
of said quantity by the steps of (b) executing one or more interim data processing 
modifying said routines between the occurrence of the observable external event 

sequence; and and the execution of the predetermined routine; and (c) randomly 

varying the duration of said interim routines. In this aspect of the 
invention, steps (b) and (c) preferably include the step of (d) 
randomly assembling m said interim routines for said execution 
from a group of n stored routines having different durations, 
wherein m and n are integers, with n being greater than m. It is also 
preferred that step (d) either includes the step of (c) rcmdomly 
accessing said m interim routines from a secure memory; or the 
steps of (f) randomly accessing pointers for said m interim routines 
from a secure memory; and (g) accessing said m interim routines 
from a memory in response to said pointers." 

3:9-10 - 'The term 'secure' indicates external inaccessibility." 

3:23-53 - "The routines ROUTINE N-l, ROUTINE N, ROUTINE 
N+1 are essential sequential subroutines of a repetitive overall 
larger data processing routine, and follow the occurrence of an 
observable external event during each sequence of the overall larger 
routine. In order to prevent a predetermined protected routine 
ROUTINE N from being synchronized with the observable external 
event that repetitively precedes the protected routine ROUTINE N, 
the BRANCH routine 12 causes the CPU 10 to branch to the maze 
of m interim routines INTERIM ROUTINE 1, INTERIM 
ROUTINE 2, INTERIM ROUTINE m. The total duration of 
the m interim routines is a random variable. The m interim routines 
have different durations. To ensure that the branch into the maze of 
interim routines is taken, some subroutine critical to the overall 
larger routine is buried inside the maze. If this subroutine is not 
performed, then the executed overall larger routine is not valuable. 
The critical subroutine is buried by breaking up the instmctions in 
such a way that the instruction for the predetennined protected 
routine ROUTINE N does not reside sequentially after its preceding 
instruction. Instead, the BRANCH routine 12 saves the address of 
the instruction for the predetermined protected routine ROU TINE N 
in a secure memory location that cannot be accessed until after 
execution of the maze of interim routines 20» 21, 22 is competed. 
After the address of the instruction for the predetermined protected 
routine ROUTINE N is stored, the CPU 10 executes the first 
interim routine INTERIM ROUTINE 1 

3:64-4: 16 - "The purpose of executing the interim routines is to 
provide a delay of a variable duration between ROUTINE N-1 and 
ROUTINE N. Each interim routine is a loop counter routine as 
I shown in Figure 2, wherein the routine is completed once a number 
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of clock cycles are counted After a START subroutine 25, the 

number of clock cycles D to be counted is loaded into a register 
implemented by the CPU 10 during a LOAD DELAY D IN R 
subroutine 27, The nujnber of clock cycles D is a random number 
accessed from the secure RAM 24. The random clock-cycle 
numbers are provided in the different portions of the secure RAM 
24 from which the instructions for the different interim routines are 
accessed. The random clock-cycle numbers may be provided in the 
RAM 24 in response to a signal produced by a physically (truly) 
random phenomena, such as a noisy diode, or in response to a 
pseudorandom device, such as a pseudorandom number generator." 

6:53-58 ^ "The n interim routines have different durations; and the 
selection and sequence of the m interim routines that are assembled 
for execution during a given data processing sequence is randomly 
varied from one sequence to the next in order to make the total 
duration of the interim routines a random variable." 

7:8-18 ~ ^The pointers 67, 68, 69 arc fixed but the selection and 
sequence of the m pointers that are accessed during a given data 
processing sequence is randomly varied from one overall data 
processing cycle to the next in order to make the total duration of 
the interim routines a raiidom variable. The selection and sequence 
of the m pointers is provided during each overall data processing 
cycle in response to a signal produced by a physically (truly) 
random phenomena, such as a noisy diode, or in response to a 
pseudorandom device, such as a pseudorandom number generator." 

Figures 1-2,4, 5. 


(d) an output interface 
for outputting said 
cryplographically 
processed quantity to a 
recipient thereof. 


1:11-14- 'The present invention generally pertains to data 
processing and is particularly directed to preventing compromise of 
secure data processing routines 

1 :29-34 - ''An 'observable external event* is defined as any internal 
state transition that manifests itself externally, including but not 
limited to a change in voltage or current at any pin or combination 
ui ];nib wiijufi i:s reiaieu lo or anccieo oy miemaj processor 
execution." 

9:3 1 -35 - "The method and system of the present invention are 
particularly suited for implementation in a microprocessor that 
controls descrambling of scrambled information signals by a 
descrambler in the possession of a subscriber in a subscriber 
communication network." 
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Figures 1,4. 




See also John F. Wakerly, MICROCOMPUTER ARCHITECTURE AND 
PROGRAMMrNG; THE 68000 Family, John Wiley & Sons, Inc., New 
York, 1997 at 6-7. 



Claim 2 ('661 Patent) 


V.S. 5,249»294 to Griffin 


ITie device of claim I 
wherein said input 
interface and said output 
interface are the same 
element. 


3:6-10 "The preferred embodiments of the present invention are 
implemented in a secure microprocessor having a secure memory, a 
nonsecirre memory and a secure central processing unit (CPU). 
Both memories may include both a random access memory (RAM) 
and a read only memory (ROM). The term * secure' indicates 
extemal inaccessibility." 

See also John Wakerly, Microcomputer Architecture and 
Programming; The 68000 Famu.y, John Wiley & Sons, Inc., New 
Yoricl997 at 6-7, 




Claim 4 C661 Patent) 


5^49,294 to GrifTm 


The device of claim 1 
wherein said 
cryptographic processing 
operation includes 
transforming a message 
with the Data Encryption 
Standard (DES). 


3:23-27 - "The routines ROUTINE N-1 , ROUTINE ROUTINE 
N+1 are essential sequential subroutines of a repetitive overall 
larger data processing routine, and follow the occurrence of an 
observable external event during each sequence of the overall larger 
routine.^' 

See, e.g., "Data Encryption Standard," Federal Information 
Processing Standards Publication (PIPS PUB) 46-2, U.S. 
Department of Commerce, National Institute of Standards and 
Technology, Dec. 30, 1993 (suggesting, at 3, implementations of 
DES; and describing, at 5, high level of protection provided by 
DES); Menezes, A.J. et a!.. Handbook of Applied 
Cryptography, CRC Press, Boca Raton at 223 and 250 
(I997)(describing DES as a well known block cipher and a common 
element of cryptographic systems). 
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Claiin6C661 Patent) 


U.S- 5,249,294 to Griffm 


A cryptographic 
processing device 
implemented on a single 
microchip for securely 
performing a 
cryptographic processing 
operation in a manner 
resistant to discovery of a 
secret by external 
monitoring, comprising: 


1:11-14- "The present invention generally pertains to data 
processing and is particularly directed to preventing compromise of 
secure data processing routines by a procedure known as a *clock 
attack'/' 

1 :29-34 - "An 'observable externa! event' is defined as any internal 
state transition that manifests itself externally, including but not 
limited to a change in voltage or current at any pin or combination of 
pins whid) is related to or affected by internal processor execution." 

2:37-47 - ''The present invention further provides a data processing 
system, comprising means for executing a predetermined data 
processing routine, wherein a observable external event occurs in 
relation to execution of said predetermined routine; and means for 
randomly varying the duration between the occurrence of the 
observable external event and the execution of the predetermined 
routine to thereby prevent the time of execution of the predetermined 
data processing routine from being determined in relation to the 
occurrence of the observable external event." 

3:4-22 - '*The preferred embodiments of the present invention are 
implemented in a secure microprocessor having a secure memory, a 
nonsecure memory and a secure central processing unit (CPU), Both 
memories may include both a random access memory (RAM) and a 
read only memory (ROM). ITie term -secure' indicates external 
inaccessibility. Referring to Figure 1, in one preferred embodiment 
of the present invention, a CPU 10 executes a group of data 
processing routines , . . in response to instructions (code) accessed 
firom a ROM 1 8; and further executes a maze of interim routines . , . 
assembled in response to instructions accessed from a secure RAM 
24," 

3:27-3 1 - ''In order to prevent a predetennined protected routine 
ROUTINE N from being synchronized with the observable external 
event that repetitively precedes the protected routine ROUTINE N, 
the BRANCH routine 12 causes the CPU 10 to branch to the maze of 
m interim routines INTERIM ROUTINE 1. INTERIM ROUTINE 2, 
INTERIM ROUTINE m/' 

8:1-22- 'The interim routine of Figure 5 includes the foilowing 
subroutines, START, INITIALIZATION, iTH BIT OF X - 1?, SET 
iTH BIT OF Y TO 1 , INCREMENT i, i > WORD SIZE OF 
SOURCE DATA?, DESTINATION DATA - Y ® SOURCE 
DATA, WRITE NEW SECURE DATA, AND EXIT . . . .After the i 
START subroutine 72, the CPU executes the INmALIZATiON 1 
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subroutine 73, during which a register X is loaded with the result of 
the dynamic SOURCE DATA being XORed with SECURE DATA 
accessed from a secure RAM, a register Y is set to zero, and a 
counter i is set to zero/* 

9:31-35 - "The method and system of the present invention are 
particularly suited for implementation in a microprocessor that 
controls descrambling of scrambled information signals by a 
descrambler in the possession of a subscriber in a subscriber 
communication network." 

Claim 19 - means for randomly varymg the dviration of said mtenm 
routines to thereby vary the duration between the occurrence of the 
externally observable event and the execution of the predetermined 
routine in order to prevent the Ume of execution of the 
predetermined data processing routine from being detemiined in 
relation to the occurrence of the externally observable event" 

Figures 1 and 4. 


(a) an input interface 
for receiving a quantity 
to be cryptographically 
processed, said 
quantity being 
representative of at 
least a portion of a 
message; 


1:11-14- "The present invention generally pertains to data 
processing and is particularly directed to preventing compromise of 
secure data processing routines by a procedure known as a 'clock 
attack*," 

1 :29-'34 - "An 'observable external event' is defined as any internal 
state transition that manifests itself externally, including but not 
limited to a change in voltage or current at any pin or combination of 
pins which is related to or affected by'intemal processor execution." 

9:3 1-35 - 'The method and system of the present invention arc 
particulariy suited for implementation in a microprocessor tliat 
controls descrambling of scrambled information signals by a 
descrambler in the possession of a subscriber in a subscriber 
communication network." 

Figures 1,4. 

PROGRAMMING; THE 68000 FAMILY, John Wiley & Sons, Inc., New 
York, 1997 at 6-7. 


(b) a source of 

unpredictable 

information; 


4:8-16- *'The random clock-cycle nimibcrs are provided in the 
different portions of the secure RAM 24 from which the insUaictions 
for the different interim routines are accessed. The random clock- 
cycle numbers may be provided in the RAM 24 in response to a 
signal produced by a physically (truly) random phenomena, such as a 
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noisy diode, or in response to a pseudorandom device, such as a 
pseudorandom number generator/* 

6:53-58 - '*The n interim routines have different durations; and the 
selection and sequence of the m interim routines that are assembled 
for execution during a given data processing sequence is randomly 
varied from one sequence to the next in order to make the total 
duration of the interim routines a random variable/* 

7:8-18 - "The pointers 67, 68, 69 are fixed but the selection and 
sequence of the m pointers that arc accessed during a given data 
processing sequence is randomly varied from one overall data 
processing cycle to the next in order to make the total duration of the 
interim routines a random variable. The selection and sequence of 
the m pointers is provided during each overall data processing cycle 
in response to a signal produced by a physically (truly) random 
phenomena, such as a noisy diode, or in response to a pseudorandom 
device, such as a pseudorandom number generator." 


(c) a processor: 


3:1 1^17 --"Referring to Figure 1, in one preferred embodiment of the 
present invention, a CPU 10 executes a group of data processing 
routines ... in response to instructions (code) accessed from a ROM 
18...." 


(i) connected to said 
input interface for 
receiving and 
cryptographically 
processing said 
quantity, 


3:11-17-- *'Reierring to Figure 1, in one preferred embodiment of the 
present invention, a CPU 10 executes a group of data processing 
routines ... in response to instructions (code) accessed from a ROM 
18...." 

See also John F. Wakerly, Microcompui er ARCHITECTURE and 
Programming; The 68000 Family, John Wiley & Sons, Inc., Nevy 
York, 1997 at 6-7 (any useful computer must be connected to 
peripherals such as I/O). 


(ii) configured to use 
said unpredictable 
information to 

conceal a correlation 
between said 

IIlldUvllI|y o JX/WCl 

consumption and said 
processing of said 
quantity by 
expending additional 
electricity in said 
microchip during said 


1 :29-34 ^ "An 'observable external event' is defined as any internal 
state transition that manifests itself externally, including but not 
limited to a change in voltage or current at any pin or combination of 
pins which is related to or affected by internal processor execution." 

1*54-2*2 — '*In one asncct of tYiC nrp^^*nt !nvf»nfir»n Qt^n tn^inH^^e 

i *y.Am vr««x> uo^w\«t. v/A j/ivov«-iiv illy v>tillv/il^ laiCrU \<*j illvlUUCio 

the steps of (b) executing one or more interim data processing 
routines between the occurrence of the observable external event and 
the execution of the predetermined routine; and (c) randomly varying 
the duration of said interim routines. In this aspect of the invention, 
steps (b) and (c) preferably include the step of (d) randomly 
assembling m said interim routines for said execution from a group 
of n stored routines having different durations, wherein m and n arc 
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processing; and 



integers, with n being greater than m. It is also preferred that step 
(d) either includes the step of (e) randomly accessing said m interim 
routines from a secure memory; or the steps of (f) randomly 
accessing pointers for said m interim routines from a secure 
memory; and (g) accessing said m interim routines from a memory 
in response to said pointers/' 

3:23o3- "The routines ROUTINE N-l, ROUTINE N, ROUTINE 
N-^l are essential sequential subroutines of a repetitive overall larger 
data processing routine, and follow the occurrence of an observable 
external event during each sequence of the overall larger routine. In 
order to prevent a predetermined protected routine ROUTINE N 
from being synchronized with the observable external event that 
repetitively precedes the protected routine ROUTINE N, the 
BRANCH routine 12 causes the CPU 10 to branch to the maze of m 
interim routines INTERIM ROUTINE 1, INTERIM ROUTINE 2, 

INTERIM ROUTINE m. The total duration of the m interim 
routines is a random variable. The m interim routines have different 
durations/^ 

3:64-4:16- "The purpose of executing the interim routines is to 
provide a delay of a variable duration between ROUTINE N-1 and 
ROUTINE N. Each interim routine is a loop counter routine as 
shown in Figure 2, wherein the routine is completed once a ntmnber 
of clock cycles are counted. Referring to Figure % the loop counter 
routine includes subroutines 25, 26, 27, 28, 29 and 30. After a 
START subroutine 25^ the number of clock cycles D to be coimted is 
loaded into a register implemented by the CPU 10 during a LOAD 
DELA Y D IN R subroutine 27. The number of clock cycles D is a 
random number accessed from the secure RAM 24, The random 
clock-cycle numbers are provided in the different portions of the 
secure RAM 24 from which the instnictions for the different interim 
routines are accessed. The random clock-cycle numbers may be 
provided in the RAM 24 in response to a signal produced by a 
physically (truly) random phenomena, such as a noisy diode, or in 
response to a pseudorandom device, such as a pseudorandom 
number generator** 

6:53-58 - "llie n interim routines have different durations; and the 
selection and sequence of the m interim routines that are assembled 
for execution during a given data processing sequence is randomly 
varied from one sequence to the next in order to make the total 
duration of the interim routines a random variable." 

7:8-18 - *'Tlie pointers 67, 68, 69 are fixed bat the selection and 
sequence of the m pointers that are accessed during a given data 
processing sequence is randomly varied from on e overall data 
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processing cycle to the next in order to make the total duration of the 
interim routines a random variable. The selection and sequence of 
the m pointers is provided during each overall data processing cycle 
in response to a signa] produced by a physically (truly) random 
phenomena, such as a noisy diode, or in response to a pseudorandom 
device, such as a pseudorandom number generator^'* 

7:60-8:24 - **The interim routine of Figure 5 incorporates a common 
recurring critical routine of the overall larger data processing routine. 
In this embodiment the critical routine is the movement of source 
data to a destination. The source data is data that is dynamically 

processed during the overall larger data processing routine The 

interim routine of Figure 5 includes the following subroutines, 
START, INrnALIZATION, iTH Bfr OF X - 1?, SET iTH BIT OF 
Y TO 1, INCREMENT i, i > WORD SIZE OF SOURCE DATA?, 
DESTINATION DATA - Y ® SOURCE DATA, WRITE NEW 
SECURE DATA, AND EXIT . . , .After the START subroutine 72, 
the CPU executes the INITIALIZATION subroutine 73, during 
which a register X is loaded with the result of the dynamic SOURCE 
DATA being XORed with SECURE DATA accessed from a secure 
RAM, a register Y is set to zero, and a counter i is set to zero. The 
address of the destination of the source data is also stored during the 
INITIALIZATION subroutine 73." 

Figures 1,2,4, 5, 


(d) an output interface 
for outputting said 
cryptographically 
processed quantiiy to a 
recipient thereof. 


1:11-14- "The present invention generally pertains to data 
processing and is particularly directed to preventing compromise of 
secure data processing routines " 

1 :29-34 - "An ^observable external event' is defined as any intcmal 
state transition that manifests itself externally, including but not 
limited to a change in voltage or current at any pin or combination of 
pins which is related to or affected by intenial processor execution/' 

9:31-35 - "The method and system of the present invention are 
particularly suited for implementation in a microprocessor that 
controls descrambling of scrambled information signals by a 
descrambler in the possession of a subscriber in a subscriber 
communication network." 

Figures 1,4. 

See also John F. Wakeriy, MrcROCOMPUTCR Architbcture and 
Programming; The 68000 Family, John Wiley & Sons, Inc., New 
York, 1997 at 6-7 (any useful computer must be connected to 
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peripherals such as I/O). 

See generally W, Rankl and W, Effing, Smart Card Handbook, 
John Wiley & Sons, Chichester, 1997 at 356-384 (describing 
applications for smartcards, including subscnber networks). 

See also, eg., Scott GuUier>', "Smart Cards/* May 28, 1998, 
www.usenix.ore/publications/login/ 1 998-5/euthery,html (visited 


Dec. 5» 2006) ("Single-chip smart card processors based on these 
cores are made by almost all the large silicon foundries . . . .Several 
marketplace forces are at work lo open the smart card as a general- 
purpose computing platform/*). 



CIaim7(*661 Patent) 


5^49^94 to Griffin 


The device of claim 6 
including prograjn logic 
to activate said 
expending during said 
nrnce<5*2in0 


1:54-2:2 - "In one aspect of the present invention, step (a) includes 
the steps of (b) executing one or more interim data processing 
routines between the occurrence of the observable external event and 
the execution of the predetermined routine; and (c) randomly 
varvinp the duration of <5aid interim rotitin^^ In thi<? a<;rM^ct of thf* 
invention, steps (b) and (c) preferably include the step of (d) 
randomly assembling m said interim routines for said execution from 
a group of n stored routines having different durations, wherein m 
and n are integers, with n being greater than m. It is also preferred 
that step (d) either includes the step of (e) randomly accessing said 
m interim routines from a secure memory; or the steps of (f) 
randomly accessing pointers for said m interim routines from a 
secure memory; and (g) accessing said m interim routines from a 
memory in response to said pointers."V 

3:23o3 - "The routines ROUTINE N-K ROUTINE N, ROUTINE 
N+1 are essential sequential subroutines of a repetitive overall larger 
data processing routine, and follow the occurrence of an observ'able 
external event during each sequence of the overall larger routine. In 
order to prevent a predetermined protected routine ROU I FNE N 
from being synchronized with the observable external event that 
repetitively precedes the protected routine ROUTINE N, Uie 
BRANCH routine 12 causes the CPU 10 lo branch to the maze of m 
interim routines INTERIM ROUTINE 1, INTERIM ROUTINE 2, 

INTERIM ROUTINE m. The total duration of the m interim 
routines is a random variable. The m interim routines have different 
durations. To ensure that the branch into the maze of interim 
routines is taken, some subroutine critical to the overall larger 
routine is buried inside the maze. If this subroutine is not 
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perfonned, then the executed overall larger routine is not valuable. 
The critical subroutine is buried by breaking up the instructions in 
such a way that the instruction for the predetermined protected 
routine ROUTINE N does not reside sequentially after its preceding 
instruction. Instead, the BRANCH routine 12 saves the address of 
the instruction for the predetermined protected routine ROUTINE N 
in a secure memory location that cannot be accessed until after 
execution of the maze of interim routines 20, 21, 22 is competed. 
After the address of the instruction for the predetermined protected 
routine ROUTINE N is stored, the CPU 10 executes the fir^t interim 
routine INTERIM ROUTINE 1/^ (emphasis added) 

3 :64-4:16 - ''The purpose of executing the interim routines is to 
provide a delay of a variable duration between ROUTINE N-1 and 
ROUTINE Isf. Each interim routine is a loop counter routine as 
shown in Figure 2, wherein the routine is completed once a number 
of clock cycles are counted. Referring to Figure 2, the loop counter 
routine includes subroutines 25, 26, 27, 28, 29 and 30. After a 
START subroutine 25, the number of clock cycles D to be counted is 
loaded into a register implemented by the CPU 1 0 during a LOAD 
DELAY D IN R subroutine 27. The number of clock cycles D is a 
random number accessed from the secure RAM 24. The random 
clock-cycle numbers are provided in the different portions of the 
secare RAM 24 from which the instructions for the different interim 
routines are accessed. The random clock-cycle numbers may be 
provided in the RAM 24 in response to a signal produced by a 
physically (truly) random phenomena, such as a noisy diode, or in 
response to a pseudorandom device, such as a pseudorandom 
number generator." 



Claim 9 (*661 Patent) 



U,S. 5,249^94 to Griffin 



A cryptographic 
processing device for 
securely performing a 
cryptographic processing 
operation in a manner 
resistant to discovery of a 
secret by external 
monitoring, comprising: 



1:29-34 An ^observable external event' is defined as any internal 
state transition that manifests itself externally, including but not 
limited to a change in voltage or cunrent at any pin or combination of 
pins which is related to or affected by internal processor execution. 



1:11-14- 'The present invention generally pertains to data 
processing and is particularly directed to preventing compromise of 
secure data processing routines by a procedure knovvn as a * clock 
attack\'' 



1 :37>51 - "The present invention prevents such clock attack s by 
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providing a method that inhibits synchronization with externally 
generated instructions by preventing determination of the time of 
execution of a predetermined data processing routine in relation to 
occurrence of an observable external event that precedes executioo 
of the predetermined routine. The method of the present invention 
includes the step of (a) randomly varying the duration between the 
occunrence of the observable external event and the execution of the 
predetermined routine. 'Duration' is determined by the number of 
data processing clock cycles/' 

2:37-47 -~ "The present invention further provides a data processing 
system, comprising means for executing a predetermined data 
processing routine, wherein a [sic] observable external event occurs 
in relation to execution of said predetermined routine; and means for 
randomly vary ing the duration between the occurrence of the 
observable external event and the execution of the predetermined 
routine to thereby prevent the time of execution of the predetermined 
data processing routine from being deteimined in relation to (he 
occurrence of the observable external event/* 

3:4-22 - "ITie preferred embodiments of the present invention are 
implemented in a secure microprocessor having a secure memory, a 
nonsecure memory and a secure central procCvSsing unit (CPU). Both 
memories may include both a random access memory (RAM) and a 
read only memory (ROM). The term --secure' indicates external 
inaccessibility. Referring to Figure 1, in one preferred embodiment 
of the present invention, a CPU 10 executes a group of data 
processing routines . . Jn response to instructions (code) accessed 
from a ROM 18 ; and further executes a maze of interim routines , , . 
assembled in response to instructions accessed from a secure RAM 
24." 

3:27-31 ~ "In order to prevent a predetermined protected routine 
ROUTINE N from being synchronized with the observable external 
event that repetitively precedes the protected routine ROUTINE N, 
the BRANCH routine 12 causes the CPU 10 to branch to the maze of 
m interim routines INTERIM ROUTINE 1 , INTERIM ROUTINE 2 
INTERIM ROUTINE m/* 

8:1-22 'The interim routine of Figure 5 includes the following 
subroutines, START, INITIALIZATION, iTH BIT OF X - 1?, SET 
iTH BIT OF Y TO 1 , INCREMENT i, i > WORD SIZE OF 
SOURCE DATA?, DESl (NATION DATA - Y ® SOURCE 
DATA, WRITE NEW SECURE DATA, AND EXIT . . . .After the 
START subroutine 72, the CPU executes the INrnALIZATION 
subroutine 73, during which a register X is loaded with the result of 
the dynamic SOURCE DATA being XORe d with SECURE DATA 
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accessed from a secure RAM* a register Y is set to zero, and a 
counter i is set to zero," 

9:3 1-35 - "The method and system of the present invention are 
particularly suited for implementation in a microprocessor that 
controls descrambling of scrambled infonnation signals by a 
descrambler in the possession of a subscriber in a subscriber 
communication network/* 

Claim 19 - "means for randomly varying the duration of said interim 
routines to thereby vary the duration between the occurrence of the 
externally observable event and the execution of the predetermined 
routine in order to prevent the time of execution of the 
prcdetenmned data processing routine from being determined in 
relation to the occurrence of the externally observable event" 

Figures 1,4, 


(a) an input interface 
. for receiving a quantity 
to be cryptographically 
processed, said 
quantity being 
representative of at 
least a portion of a 
message; 


1:11-14- 'The present invention generally pertains to data 
processing and is particularly directed to preventing compromise of 
secure data processing routines. . . 

1 :29-34 ~ "An 'observable external event' is defined as any internal 
state transition that manifests itself externally, including but not 
limited to a change in voltage or current at any pin or combination of 
pins which is related to or affected by internal processor execution." 

9:31-35 - "The method and system of the present invention arc 
particularly suited for implementation in a microprocessor that 
controls descrambling of scrambled information signals by a 
descrambler in the possession of a subscriber in a subscriber 
communication network." 

Figures 1, 4. 

See also John Wakerly, MiCROCOMPU'TCR Architecture and 
PROGRAMMfNG; I he 68000 FAMILY, John Wiley & Sons, Inc., New 
York, 1997 at 6-7. 


(b) a source of 

unpredictable 

information; 


4:5- 1 5 - 1 he random clock-cycle numbers may be provided m the 
RAM 24 in response to a signal produced by a physically (truly) 
random phenomena, such as a noisy diode, or in response to a 
pseudorandom device, such as a pseudorandom number generator"' 

6:53-58 - ' The n interim routines have different durations; and the 
selection and sequence of the m interim routines that^are assembled 
for execution during a given data processing sequence is randomly 
varied from one sequence to the next in order to make the total 
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duration of the interim routines a random variable/' 

7:8-18 - *'The pointers 67, 68, 69 are fixed but the selection and 
sequence oi me m pomiers inai arc accesscu cunng a given oaia 
processing sequence is randomly varied from one overall data 
processing cycle to the next in order to make the total duration of the 
interim routines a random variable, l^he selection and sequence of 
the m pointers is provided during each overall data processing cycle 
in response to a signal produced by a physically (truly) random 
phenomena, such as a noisy diode, or in response to a pseudorandom 
device, such as a pseudorandom number generator," 


(c) a processor: 


3:11-17- ^'Referring to Figxire 1, in one preferred embodiment of the 
present invention, a CPU 10 executes a group of data processing 
routines ... in response to instructions (code) accessed from a ROM 

18. . . " 


(i) connected to said 
input interface for 
receiving and 
cryptographically 
processing said 
quantity. 


3:11-17- ''Referring to Figure 1 , in one preferred embodiment of the 
present invention, a CPU 10 executes a group of data processing 
routines ... in response to instructions (code) accessed from a ROM 
18.../* 

See also John F. Wakeriy, Microcomputer Architecture and 
Programmhsig; The 68000 Family, John Wiley & Sons. Inc., New 
York, 1997 at 6-7 (any useful computer must be connected to 
peripherals such as I/O). 


(ii) configured to use 
said unpredictable 
information to 
conceal a correlation 
between externally 
monitorable signals 
and said secret during 
said processing of 
said quantity; 


1 :29-34 - "An 'observable external event* is defined as any internal 
state transition that manifests itself extemaily, including but not 
limited to a change in vohage or current at any pin or combination of 
pins which is related to or affected by internal processor execution.'' 

1:54-2:2 - "In one aspect of the present invention, step (a) includes 
the steps of (b) executing one or more interim data processing 
routines between the occurrence of the observable external event and 
the execution of the predetermined routine; and (c) randomly 
varying the duration of said interim routines. In this aspect of the 
invention, steps (b) and (c) preferably include the step of (d) 
laiiuuiitiy <}&:>cjiiMUu^ iii D«tiu inicnin ruuuncb lor saiu execunon irom 
a group of n stored routines having different durations, wherein m 
and n are integers, with n being greater than m. It is also preferred 
that step (d) either includes the step of (e) randomly accessing said m 
interim routines from a secure memory: or the steps of (f) randomly 
accessing pointers for said m interim routines from a secure 
memory; and (g) accessing said m interim routines from a memory 
in response to said pointers." 
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3:9-10 ""The term ^secure* indicates external inaccessibility." 

3:23-53 - "The routines ROUTINE N- 1 , ROUTINE N, ROUTINE 
N+l are essential sequential subroutines of a repetitive overall larger 
data processing routine, and follow the occurrence of an observable 
external event during each sequence oJ the overall larger routine. In 
order to prevent a predetermined protected routine ROU TINE N 
from being synchronized with the observable external event that 
repetitively precedes the protected routine ROUTINE N, the 
BRANCH routine 12 causes the CPU 10 to branch to the maze of m 
interim routines INTERIM ROUTINE 1 , INTERIM ROUTINE 2, 
INTERIM ROUTINE m. The total duration of the m interim 
routines is a random variable. The m interim routines have different 
durations. To ensure that the branch into the maze of interim 
routines is taken, some subroutine critical to the overall larger 
routine is buried inside the maze. If this subroutine is not performed, 
then the executed overall larger routine is not valuable. The critical 
subroutine is buried by breaking up the instructions in such a way 
that the instruction for the predetermined protected routine 
ROUTINE N does not reside sequentially after its preceding 
instruction. Instead, the BRANCH routine 12 saves the address of 
the instruction for the predetermined protected routine ROUTINE N 
in a secure memory location that camioi be accessed until after 
execution of the maze of interim routines 20, 21, 22 is competed. 
After the address of the instruction for the predetermined protected 
routine ROUTINE N is stored, the CPU 10 executes the first interim 
routine INTERIM ROUTINE 1." (emphasis added) 

3:64-4: 16-~ "The purpose of executing the interim routines is to 
provide a delay of a variable duration between ROUITNE N-1 and 
ROUTINE N. Each interim routine is a loop counter routine as 
shown in Figure 2, wherein the routine is completed once a number 
of clock cycles are counted. Referring to Figure 2, the loop coimter 
routine includes subroutines 25, 26, 27, 28, 29 and 30. After a 
START subroutine 25, the niunber of clock cycles D to be counted is 
loaded into a register implemented by the CPU 10 during a LOAD 
DELAY D IN R subroutine 27. Tho number of clock cycles D is a 
random number accessed from the secure RAM 24. The random 
clock-cycle numbers are provided in the different portions of the 
secure RAM 24 from which the instructions for the different interim 
routines are accessed. The random clock-cycle numbers may be 
provided in the RAM 24 in response to a signal produced by a 
physically (truly) random phenomena, such as a noisy diode, or in 
response to a pseudorandom device, such as a pseudorandom 
number generator." 

6:53-58 - "The n interim routines have differe nt durations; and the 
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selection and sequence of the m interim routines that are assembled 
for execution during a given data processing sequence is randomly 
varied from one sequence to the next in order to make the total 
duration of the interim routines a random variable *' 

7:8-18 ~ 'The pointers 67, 68, 69 are fixed but the selection and 
sequence of the m pointers that are accessed during a given data 
processing sequence is randomly varied from one overall data 
processing cycle to the next in order to make the total duration of the 
interim routines a random variable. The selection and sequence of 
the m pointers is provided during each overall data processing cycle 
in response to a signal produced by a physically (truly) random 
phenomena, such as a noisy diode, or in response to a pseudorandom 
device, such as a pseudorandom number generator." 

Figures K 2, 4, 5. 


(d) an output interface 
for outputting said 
cryptographicaliy 
processed quantity to a 
recipient thereof; 


1:11-14- "The present invention generally pertains to data 
processing and is particularly directed to preventing compromise of 
secure data processing routines, . . 

1 :29-34 '"An 'observable external event' is defined as any internal 
state transition that manifests itself extemally, including but not 
limited to a change in voltage or current at any pin or combination of 
pins v^hich is related to or affected by internal processor execution-" 

9:31-35 - *The method and system of the present invention are 
particularly suited for implementation in a microprocessor that 
controls descrambling of scrambled information signals by a 
descrambler in the possession of a subscriber in a subscriber 
communication netv^ork.*' 

Figures 1.4, 

See also John F, Wakerly, MICROCOMPUTER Architecture and 
Programming; The 68000 Family, John Wiley & Sons, Inc., New 
York, 1997 at 6-7. 


(e) a hardware- 
implemented noise 
production subxinit 
connected to said 
source of unpredictable 
information and 
configured to expend 
unpredictable amounts 
of electricity based on 


1 :54-2:2 — *'In one aspect of the present invention, step (a) includes 
the steps of (b) executing one or more interim data processing 
routines between the occurrence of the observable external event and 
the execution of the predetermined routine; and (c) randomly 
varying the duration of said interim routines. In this aspect of the 
invention, steps (b) and (c) preferably include the step of (d) 
randomly assembling m said interim routines for said execution from 
a group of n stored routines having different durations, wherein m 
and n are integers, with n being greater than m. it is also preferred 
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the output of said 
source of unpredictable 
information; and 


that step (d) either includes the step of (e) randomly accessing said m 
interim routines from a secure memory; or the steps of (0 randomly 
accessing pointers for said m interim routines from a secure 
memory; and (g) accessing said m interim routines from a memory 
in response to said pointers." 

3:66-4:2 - "Each interim routine is a loop counter routine as shov^'n 
in Figure 2, wherein the routine is completed once a number of clock 
cycles are counted. Referring to Figure 2, the loop counter routine 
includes subroutines 25, 26, 27, 28, 29 and 30," 

4:7-16 - "The number of clock cycles D is a random number 
accessed from the secure RAM 24. The random clock-cycle 
numbers are provided in the different portions of the secure RAM 24 
from which the instructions for the different interim routines are 
accessed. Fhe random clock-cycle numbers may be provided in the 
RAM 24 in response to a signal produced by a physically (truly) 
random phenomena, such as a noisy diode, or in response to a 
pseudorandom device, such as a pseudorandom number generator." 

6:53-58 - "The n interim routines have different durations; and the 
selection and sequence of the m interim routines that are assembled 
for execution during a given data processing sequence is randomly 
varied from one sequence to the next in order to make the total 
duration of the interim routines a random variable.*' 

7:8-1 8 ~ "The pointers 67, 68, 69 are fixed but the selection and 
sequence of the m pointers that are accessed during a given data 
processing sequence is randomly varied from one overall data 
processing cycle to the next in order to make the total duration of the 
interim routines a random variable. The selection and sequence of 
the m pointers is provided during each overall data processing cycle 
in response to a signal produced by a physically (truly) random 
phenomena, such as a noisy diode, or in response to a pseudorandom 
device, such as a pseudorandom number generator." 

ft 

Figures 2, 5. 


(f) an activation 
controller, which may 
be activated by 
software contained in 
said device, to activate 
and deactivate said 
expending of 
unpredictable amounts 


3:31-39 - "n Jhe BRANCH routine 12 causes the CPU 10 to branch 
to the maze of m interim routines fNTERIM ROUTINE 1 
INTERIM ROUTINE 2,.. INTERIM ROUTrNE m . . . /to ensure 
that the branch into the maze of interim routines is taken, some 
subroutine critical to the overall larger routine is buried inside the 
maze." 

3:54-63 - "In the sequence of instructions stored in the ROM 18, the 
next instruction after the instruction for the BRANCH routine 12 is a 
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of ^lectricitv 


J AuvirciviiNvj uxti ttXy i itxj rouune i J. in normal operation, tne 
TAMPERING DETECTED routine 13 will never be executed since 
the CPU 10 will alv^ys branch to the maze of interim routines. 
However, if an attacker attempts to bypass the BRANCH routine 12, 
the TAMPERING DETECTED routine 1 3 will be executed to 
thereby detect the attacker*s tampering attempt." 

Figures 1 , 4. 




Ctaim lO (*661 Patent) 


LIS, 5,249^94 to Griffin 


The device of claim 9 
M^ierein said source of 
unpredictable 
infonmtion is a 
hardware-implemented 
random number 
generator, and wherein 
said noise production 
subunit includes a 
digitaj-to-analog 
converter. 


4:8-16- "The random clock-cycle numbers may be provided in the 
RAM 24 in response to a signal produced by a physically (truly) 
random phenomena^ such as a noisy diode, or in response to a 
pseudorandom device, such as a pseudorandom number generator." 

7:8-1 8 "The pointers 67, 68, 69 are fixed but the selection and 
sequence of the m pointers that are accessed during a given data 
processing sequence is randomly varied from one overall data 
processing cycle to the next in order to make the total duration of the 
interim routines a random variable. The selection and sequence of 
the m pointers is provided during each overall data processing cycle 
in response to a signal produced by a physically (truly) random 
phenomena, such as a noisy diode, or in response to a pseudorandom 
device, such as a pseudorandom number generator." 

See also. e,g,, English abstracts of JP10084223,JP10]976IO, 
JP62260406, and JP62082702 (describing including a digital to 
analog converter in a noise production subunit); 




Claim 11 C661 Patent) 


U.S, 5^49,294^ Griffin 


A cryptographic 

processing device for 
securely performing a 
cryptographic processing 
operation in a manner 
resistant to discovery of 
a secret by external 
measurement of said 
device's power 


1:1 1-14 - "The present invention generally pertains to data 
processing aiid is particularly directed to preventing compromise of 
secure data processing routines by a procedure knovwi as a 'clock 
attack'.*' 

1:29-34 ^ ''An 'observable external event' is defined as any internal 
state transition that manifests itself externally, including but not 
limited to a change in voltage or current at any pin or combination of 
pins which is related to or affected by internal processor execution. ^ 
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consumption, 
comprising: 



1:36-51 (ADD) - "The present invention prevents such clock attacks 
by providing a method that inhibits synchronization with extcmaliy 
generated instructions by preventing determination of the time of 
execution of a predetermined data processing routine in relation to 
occurrence of an observable external event that precedes execution of 
the predetemiined routine. The method of the present invention 
includes the step of (a) randomly varying the duration between the 
occurrence of the observable externa! event and the execution of the 
predetermined routine, * Duration* is determined by the number of 
data processing clock cycles/* 

2:37-47 ^ ''The present invention fijrther provides a data processing 
system, comprising means for executing a predetermined data 
processing routine, wherein a [sic] observable external event occurs 
in relation to execution of said predetermined routine; and means for 
randomly varying the duration between the occurrence of the 
observable external event and the execution of the predetermined 
routine to thereby prevent the time of execution of the predetermined 
data processing routine from being detennined in relation to the 
occurrence of the observable external event/' 

3:4-22 - "The preterred embodiments of the present invention are 
implemented in a secure microprocessor having a secure memory, a 
nonsecure memoty and a secure central processing unit (CPU). Both 
memories may include both a random access memory (RAM) and a 
read only memory (ROM). The term -^secure' indicates extemal 
inaccessibility. Referring to Figure I, in one preferred embodiment 
of the present invention, a CPU 10 executes a group of data 
processing routines . _ in response to instructions (code) accessed 
from a ROM 1 8; and ftirther executes a maze of interim routines . . . 
assembled in response to instructions accessed from a secure RAM 
24/' 

3:27-31 - "In order to prevent a predetermined protected routine 
ROUTINE N from being synchronized with the observable extemal 
event that repetitively precedes the protected routine ROUTINE N, 
the BRANCH routine 12 causes the CPU 10 to branch to the maze'of 
m interim routines INTERIM ROUTINE 1, INTERIM ROUTINE 2 
. . INTERIM ROUTINE m." 

8:1-22 - "The interim routine of Figure 5 includes the follov^ng 
subroutines, START, INITIALIZATION, iTH BIT OF X - P SET 
iTH BIT OF Y TO i , INCREMENT i, i > WORD SIZE OF 
SOURCE DATA?, DESTINATION DATA - Y ® SOURCE 
DATA, WRITE NEW SECURE DATA, AND EXIT . , , .After the 
START subroutine 72, the CPU executes the INITIALIZATION 
subroutine 73, during which a register X is loaded with the result of 
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the dynainic SOURCE DATA being XORed with SECURE DATA 
accessed from a secure RAM, a register Y is set to zero, and a 
counter i is set to zero/' 

9:31-35 - "The method and system of the present invention are 
particularly suited for implementation in a microprocessor that 
controls descrambling of scrambled information signals by a 
descrambler in the possession of a subscriber in a subscriber 
communication network/* 

Claim ] 9 - **means tor randomly varying die ditration of said interim 
routines to thereby var>' the duration between the occurrence of the 
extemally observable event and the execution of the predetermined 
routine in order to prevent the time of execution of the predetermined 
data processing routine from being determined in relation to the 
occurrence of the extemally observable event" 

Figures 1,4. 


(a) an input interface 
for receiving a quantity 
to be cryptographically 
processed, said 
quantity being 
representative of at 
least a portion of a 
message; 


1:1 M4 *The present invention generally pertains to data 
processing and is particularly directed to preventing compromise of 
secure data processing routines. , . / • 

1 :29o4 - ''An 'observable external event' is defined as any internal 
state transition that manifests itself extemally, including but not 
limited to a change in voltage or current at any pin or combination of 
pins which is related to or affected by internal processor execution," 

9:31-35 - *The method and system of the present invention are 
particularly suited for implementation in a microprocessor that 
controls descrambling of scrambled information signals by a 
descrambler in the possession of a subscriber in a subscriber 
communication network/' 

Figures 1,4. 

See also John F. Wakerly, MICROCOMPUTER ARCHITECTURE AND 
Programming; The 68000 Family, John Wiley & Sons, Inc., New 
York, 1997 at 6-7, 


(b) an input interface 
for receiving a variable 
amount of power, said 
power consumption 
varying measurably 
during said 
performance of said 


1 :29-34 - "An 'observable external event' is defined as any internal 
state transition that manifests itself extemally, including but not 
limited to a change in voltage or current at any pin or combination of 
pins which is related to or affected by internal processor execution/' 

2:39-47 ~ '*The present invention further provides a data processing 
system, comprising means for executing a predetermined data 
processing routine, wherein a fsic] observable external event occurs 
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operation; 


in relation to execution of said predetermined routine; and means for 
randomly varying the duration between the occurrence of the 
observable external event and the execution of the predetermined 
routine to thereby prevent the time of execution of the predetermined 
data processing routine from being determined in relation to the 
occurrence of the observable external event." 

9: 1 8-23 - "The interim routine of Figure 5 need not be executed in 
combination with other interim routines and may be incorporated 
into an overall larger data processing routine anytime critical data 
needs to be moved from one location (source) to another location 
(destination).'* 


(c) a processor 
connected to said input 
interface for receiving 
and cryplographically 
processing said 
quantity; and 


3:9-17 - "Referring to Figure 1, in one preferred embodiment of the 
present invention, a CPU 10 executes a group of data processing 
routines ... in response to instructions (code) accessed from a ROM 
18...." 

Figures!, 4, 

See also John F. Wakerly, Microcomputer Architecture A>iD 
PROCRAMMfNG; THE 68000 FAMILY, John Wiley & Sons, Inc., New 
York, 1997 at 6-7 (any useful computer must be connected to 
peripherals such as 1/0). 


(d) a noise production 
system for introducing 
noise into said 
measurement of said 
power consumption. 


1 :54-2:2 - "In one aspect of the present invention, step (a) includes 
the steps of (b) executing one or more interim data processing 
routines between the occurrence of the observable external event and 
the execution of the predetermined routine; and (c) randomly varying 
the duration of said interim routines. In this aspect of the invention, 
steps (b) and (c) preferably include the step of (d) randomly 
assembling m said interim routines for said execution from a group 
of n stored routines having different durations, wherein m and n are 
integers, with n being greater than m. It is also preferred that step (d) 
either includes the step of (e) randomly accessing said m interim 
routines from a secure memory; or the steps of (f) randomly 
accessing pointers for said m interim routines from a secure memory; 
and (g) accessing said m interim routines from a memory in response 
lo baiQ pomiers. 

3:23-53 - *The routines ROUTINE N-1 , ROUTINE N, ROUTINE 
N4-1 are essential sequential subroutines of a repetitive overall larger 
data processing routine, and follow the occurrence of an observable 
external event during each sequence of the overall larger routine. In 
order to prevent a predetermined protected routine ROUTINE N 
from being synclironi^cd with Uie observable external event that 
repetitively precedes the protected routine ROUTINE N, the 
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BRANCH routine 12 causes the CPU 10 to branch to the maze of m 
interim routines INTERIM ROUTINE L INTERIM ROUTINE 2, 

INTERIM ROUTINE m. The total duration of the m interim 
routines is a random variable." 

3:64-4:6 'The purpose of executing the interim routines is to 
provide a delay of a variable duration between ROUTINE N-1 and 
ROUTINE N. Each interim routine is a loop counter routine as 
shown in Figure 2, wherein the routine is completed once a number 

of clock cycles are counted After a START subroutine 25, the 

number of clock cycles D lo be counted is loaded into a register 
implemented by the CPU 10 during a LOAD DELAY D IN R 
subroutine 27/' 

4:7-16 ~ 'The number of clock cycles D is a random number 
accessed from the secure RAM 24. The random clock-cycle 
numbers are provided in the different portions of the secure RAM 24 
from which the instnictions for the different interim routines are 
accessed. The random clock-cycle numbers may be provided in the 
RAM 24 in response to a signal produced by a physically (truly) 
random phenomena, such as a noisy diode, or in response lo a 
pseudorandom device, such as a pseudorandom number generator/' 

6:53-58 - 'The n interim routines have different durations: and the 
selection and sequence of the m interim routines that are assembled 
for execution during a given data processing sequence is randomly 
varied from one sequence to the next in order to make the total 
duration of the interim routines a random variable/' 

7:8-1 8 - The pointers 67, 68, 69 are fixed but the selection and 
sequence of the m pointers that are accessed during a given data 
processing sequence is randomly varied from one overall data 
processing cycle to the next in order to make the total duration of the 
interim routines a random variable. The selection and sequence of 
the m pointers is provided during each overall data processing cycle 
in response to a signal produced by a physically (truly) random 
phenomena, such as a noisy diode, or in response to a pseudorandoin 
device, such as a pseudorandom number generator/' 

7:52-59 - "FIG, 5 illustrates an alternative preferred, embodiment of 
an interim routine. In this interim routine the duration between the 
externally observable event and the predetermined protected routine 
is randomly varied in response to both dynamically processed data 
that does not repetitively recur at the same time in relation to each 
occurrence of the externally observable event, and data stored in a 
secure memory/' 
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8:60-9:5 - "The total duration of the interim routine of FIG. 5 is 
dependent upon the number of ONE bits loaded into the X register 
during the INITIALIZATION subroutine 73, since the SET iTH BIT 
OF X TO 1 subroutine 75 is executed only when the ith bit of the X 
register equals ONE. Thus the range of variation in the duration of 
the interim routine of FIG. 5 is the number of clock cycles required 
for the subroutine 75 times the number of bit positions in the X 
register. Since the number of times that the subroutine 75 is executed 
is dependent upon the content of the dynamically processed source 
data and the secure data in the RAM, the total duration of the interim 
routine of FIG, 5 is a random variable that is unknown to the 
observer." 

Figures 2, 5. 



Claiin 12 ('661 Patent) 


U.S. 5^249^94 to Griffin 


The df*v5f*p of riaim 1 1 

wherein said noise 
production system 
comprises: (a) a source 
of randomness for 
generating initial noise 
having a random 
characteristic; 


o.Du-'y.:> — me loiai auranon or me mtenm routme oi 1 lO. 5 is 
dependent upon the number of ONE bits loaded into the X register 
during the INITIALIZATION subroutine 73, since the SET iTH BIT 
OF X TO 1 subroutine 75 is executed only when the iih bit of the X 
register equals ONE. ITius the range of variation in the duration of 
the interim routine of FIG. 5 is the number of clock cycles required 
for the subroutine 75 times the number of bit positions in the X 
register. Since the number of times that the subroutine 75 is executed 
is dependent upon the content of the dynamically processed source 
data and the secure data in the RAM, the total duration of the interim 
routine of FIG. 5 is a random variable that is unknown to the 
observer." 


(b) a noise processing 
module for improving 
the random characteristic 
of said initial noise; and 


9:6-16 - "The randonmess of the the total duration of the interim 
routine of FIG. 5 is further compounded by execution of the WRITE 
NEW SECURE DATA subroutine 79, which changes the secure data 
in the R.A.M that is accessed during the INITIALIZATION 
subroutine 73, so that each time the interim routine of FIG. 5 is 
executed, such secure data may be different. I he secure data may be 
provided in the RAM in response to a signal produced by a 
physically (truly) random phenomena, such as a noisy diode, or in 
response to a pseudorandom device, such as a pseudorandom number 
generator/' 


(c) a noise production 
module configured to 
vary said power 


9:6-16 - "The randomness of the the total duration of the interim 
routine of FIG. 5 is further compounded by execution of the WRJTE 
NEW SECURE DATA subroutine 79, which changes the secure data 
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consumption based on an 
output of said noise 
processing module. 


in the RAM that is accessed during the INm ALIZATION 
subroutine 73, so that each time the interim routine of FIG. 5 is 
executed^ such secure data may be different. The secure data may be 
provided in the RAM in response to a signal produced by a 
physically (truly) random phenomena, such as a noisy diode, or in 
response to a pseudorandom device, such as a pseudorandom number 
generator," 




Claim 13 (*661 Patent) 


ILS. S»249,294 to Griffin 


The device of claim 12 
wherein said noise 
production system is 
connected to said 
processor and is 
selectively operable 
under the control of said 
processor. 


9:6-16 - 'The randomness of the the total duration of the interim 
routine of FIG. 5 is further compounded by execution of the WRITE 
NEW SECURE DATA subroutine 79, which changes the secure data 
in the RAM that is accessed during the INIT1A1,IZATI0N 
subroutine 73, so that each time the interim routine of FIG. 5 is 
executed, such secure data may be different The secure data may be 
provided in the RAM in response to a signal produced by a 
physically (truly) random phenomena, such as a noisy diode, or in 
response to a pseudorandom device, such as a pseudorandom number 
generator," 




Claim 22 (*661 Patent) 


VS. 5^49,294 to Griffin 


A device according to 
claims 1,4,7,9, 11, 14, 
15, or 20 wherein said 
device comprises a 
smartcard. 


1:11-18- "The present invention generally pertains to data 
processing and is particularly directed to preventing compromise of 
secure data processing routines by a procedure known as a 'clock 
attack', A clock attack is a procedure by which an attacker gains 
access to secure data or code used in a predetermined data processing 
routine being executed within a secure data processor, sxich as a 
secure microprocessor '* 

9:3 1-35 - "The method and system of the present invention are 
particularly suited for implementation in a microprocessor that 
controls descrambling of scrambled information signals by a 
descrambler in the possession of a subscriber in a subscriber 
communication network." 

See generally W, Rankl and W, Effing, Smart Card Handbook, 
John Wiley & Sons, Chichester, 1997 at 356-384 (describing 
applications for smartcards, including subscriber networks). 
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Claim 23 (*661 Patent) 


5M9a94 to Griffin 


A method of securely 
performing a 
cryptographic processing 
operation in a manner 
resistant to discovery of 
a secret within a 
cryptographic processing 
device by external 
monitoring, comprising: 


1:11-21- "The present invention generally pertains to data 
processing and is particularly directed to preventing compromise of 
secure data processing routines by a procedure kjnown as a *cIock 
attack'. A clock attack is a procedure by which an attacker gains 
access to secure data or code used in a predetermined data processing 
routine being executed within a secure data processor, such as a 
secure microprocessor, by determining the time of execution of the 
predetermined data processing routine in relation to occurrence of an 
observable external event that precedes the predetermined routine . . , 

1 :29-34 - "An 'observable external event' is defined as any internal 
state transition that manifests itself externally, including but not 
limited to a change in voltage or current at any pin or combination of 
pins which is related to or affected by internal processor execution. " 

1 :37-51 - "The present invention prevents such clock attacks by 
providing a method that inhibits synchronization with externally 
generated instructions by preventing determination of the time of 
execution of a predetermined data processing routine in relation to 
occurrence of an observable external event that precedes execution of 
the predetermined routine. The method of the present invention 
includes the step of (a) randomly varying the duration between the 
occurrence of the observable external event and the execution of the 
predetermined routine. 'Duration* is determined by the number of 
data processing clock cycles.'* 

2:37-47 - "The present invention further provides a data processing 
system, comprising means for executing a predetermined data 
processing routine, wherein a observable external event occurs in 
i^xaLivii v;A.v^uuvii Kfi dcuu pr ccic ic f 1 1 uncu rouime, ano means lor 
randomly varying the duration between the occurrence of the 
observable external event and the execution of the predetermined 
routine to thereby prevent the time of execution of the predetermined 
data processing routine from being determined in relation to the 
occurrence of the observable external event." 

3:4-22 - ''The preferred embodiments of the present invention are 
implemented in a secure microprocessor having a secure memory, a 
nonsecure memory and a secure central processing unit (CPU). Both 
memories may include both a random access memory (RAM) and a 
read only memory (ROM), The term ^secure' indicates exicmal 
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inaccessibility. Referring to Figure 1, in one preferred embodiment 
of the present invention, a CPU 10 executes a group of data 
processing routines ... in response to instructions (code) accessed 
from a ROM 1 8; and further executes a maze of interim routines , . . 
assembled in response to instructions accessed from a secure RAM 
24," 

3:27-3 1 **In order to prevent a predetermined protected routine 
ROUTINE N from being synchronized with the observable external 
event that repetitively precedes the protected routine ROUTINE N, 
the BRANCH routine 12 causes the CPU 10 to branch to the mnzc of 
m interim routines INTERIM ROUTINE 1, INTERIM ROUTINE 2, 
INTERIM ROUTINE m." 

8:1-22 - "The interim routine of Figure 5 includes the following 
subroutines, START, INITIALIZATION, iTH BIT OF X - 1?, SET 
iTH BIT OF Y TO 1, INCREMENT i, i > WORD SIZE OF 
SOURCE DATA?, DESTINATION DATA - Y © SOURCE 
DATA, WRITE NEW SECURE DATA, AND EXIT . . . .After the 
START subroutine 72, the CPU executes the INITIALIZATION 
subroutine 73, during which a register X is loaded with the result of 
the dynamic SOURCE DATA being XORed with SECURE DATA 
accessed from a secure RAM, a register Y is set to zero, and a 
counter i is set to zero/' 

9:3 1-35 - "The method and system of the present invention are 
particularly suited for implementation in a microprocessor that 
controls descrambling of scntmbled infoniiation signals by a 
descrambler in the possession of a subscriber in a subscriber 
communication network " 

Claim 19 - "means for randomly varying the duration of said interim 
routines to thereby vary the duration between the occurrence of the 
externally observable event and the execution of the predetermined 
routine in order to prevent the time of execution of the predetermined 
data processing routine from being determined in relation to the 
occurrence of the externally observable event" 


(a) receiving a quantity 
to be ci:)^tographicaHy 
processed, said 
quantity being 
representative of at 
least a portion of a 
message; 


1:11-14- *The present invention generally pertains to data 
processing and is particularly directed to preventing compromise of 
secure data processing routines by a procedure knovm as a 'clock 
attack*." 

1 :29-34 - "An 'observable external event' is defined as any internal 
state transition that manifests itself externally, including but not 
limited to a change in voltage or current at any pin or combination of 



-28- 



Exhibit C-2 (Griffin) 



(b) generating 
unpredictable 
information; 



pins which is related to or affected by internal processor execution." 

9:3 1 -35 - "1 he method and system of the present invention are 
particularly suited for implementation in a microprocessor that 
controls descrambling of scrambled information signals by a 
descrambler in the possession of a subscriber in a subscriber 
communication network." 

Figures 1,4. 

See also John F. Wakerly, MICROCOMPUTER ARCHITECTURE AND 
Programming; The 68000 Family, John Wiley & Sons, Inc., New 
York, 1997 at 6-7, 



(c) cryptographically 
processing said 
quantity, including 
usin g said 



3 : 1 2-22 - "CPU 1 0 . _ further executes a maze of interim routines . . 
. assembled in response to instructions accessed from a secure RAM 
24." 

4:7-16 - "The number of clock cycles D is a random number 
accessed from the secure RAM 24, The random clock-cycle 
numbers are provided in the different portions of the secure RAM 24 
from which the instructions for the different interim routines are 
accessed. The random clock-cycle numbers may be provided in the 
RAM 24 in response to a sig^ial produced by a physically (truly) 
random phenomena, such as noisy diode, or in response to a 
pseudorandom device, such as a pseudorandom number generator/' 

6:53-58 - "llie n interim routines have different durations; and the 
selection and sequence of the m interim routines that are assembled 
for execution during a given data processing sequence is randomly 
varied from one sequence to the next in order to make the total 
duration of the interim routines a random variable,'* 

7:8-1 8 - ''The pointers 67, 68, 69 are fixed but the selection and 
sequence of the m pointers that are accessed during a given data 
processing sequence is randomly varied from one overall data 
processing cycle to the next in order to make the total duration of the 
interim routines a random variable. The selection and sequence of 
the m pointers is provided during each overall data processing cycle 
in response to a signal produced by a physically (truly) random 
phenomena, such as a noisy diode, or in response to a pseudorandom 
device, such as a pseudorandom number generator.'* 



1 :29 34~^'An 'observable external event* is defined as any internal 
state transition that manifests itself externally, including but not 
limited to a change in voltage or current at any pin or combination of 
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unpredictable 
information while 
processing said 
quantity to concei^l a 
correlation between 
externally monitorable 
signals and said secret 
by selecting between: 



I pins which is related to or affected by interna] processor execution/' 

1:37-51 - ''The present invention prevents such clock attacks by 
providing a method that inhibits synchronization with externally 
generated instructions by preventing determination of llie time of 
execution of a predetermined data processing routine in relation to 
occurrence of an observable external event that precedes execution of 
the predetermined routine. The method of the present invention 
includes the step of (a) randomly varying the duration between the 
occurrence of the observable external event and the execution of the 
predetermined routine, 'Duration' is determined by the number of 
data processing clock cycles." 

1 :54-2:2 - "In one aspect of the present invention, step (a) includes 
the steps of (b) executing one or more interim data processing 
routines between the occurrence of the observable external event and 
the execution of the predetermined routine; and (c) randomly varying 
the duration of said interim routines. In this aspect of the invention, 
steps (b) and (c) preferably include the step of (d) randomly 
assembling m said interim routines for said execution from a group 
of n stored routines having different durations, wherein m and n are 
integers, with n being greater than m. It is also preferred that step (d) 
eitlier includes the step of (e) randomly accessing said m interim 
routines from a secure memory; or the steps of (f) randomly 
accessing pointers for said m interim routines from a secure memory; 
and (g) accessing said m interim routines from a memory in response 
to said pointers.'* 

3:9-10 -"The term ^secure' indicates external inaccessibility." 

3:23-35 - "The routines ROUTINE N-1 , ROUTINE N, ROUTINE 
NM are essential sequential subroutines of a repetitive overall larger 
data processing routine, and follow the occurrence of an observable 
external event during each sequence of the overall larger routine. In 
order to prevent a predetermined protected routine ROUTINE N 
from being synchronized with the observable external event that 
repetitively precedes the protected routine ROUTINE N, the 
BRANCH routine 12 causes the CPU 10 to branch to the maze of m 
interim routines INTERIM ROUTINE 1, INTERIM ROUTINE 2, 
. . INTERIM ROUTINE m. The total duration of the m interim 
routines is a random variable." 

3:64-4:66 - " Fhe purpose of executing the interim routines is to 
provide a delay of a variable duration betvs^ecn ROUTINE N-I and 
ROUTINE N. Each interim routine is a loop counter routine as 
shown in Figure 2, wherein the routine is completed once a number 
of clock cycles are counted After a START subroutine 25, the 
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number of clock cycles D to be counted is loaded into a register 
implemented by the CPU 10 during a LOAD DELAY D IN R 
subroutine 27. The number of clock cycles D is a random number 
accessed from the secure RAM 24. The random clock-cycle 
numbers are provided in the different portions of the secure RAM 24 
jfroni which the instructions for the different interim routines are 
accessed. ITie random clock-cycle numbers may be provided in the 
RAM 24 in response to a signal produced by a physically (truly) 
random phenomena, such as a noisy diode, or in response to a 
pseudorandom device, such as a pseudorandom number genemtor." 

6:53-58 - "The n interim routines have different durations; and the 
selection and sequence of the m interim routines that are assembled 
for execution during a given data processing sequence is randomly 
varied from one sequence to the next in order to make the total 
duration of the interim routines a random variable." 

7:8- 1 8 ~- "7Tie pointers 67, 68, 69 are fixed but the selection and 
sequence of the m pointers that are accessed during a given data 
processing sequence is randomly varied from one overall data 
processing cycle to the next in order to make the total duration of the 
interim routines a random variable. The selection and sequence of 
the m pointers is provided during each overall data pit>cessing cycle 
in response to a signal produced by a physic;|lly (truly) random 
phenomena, such as a noisy diode, or in response to a pseudonmdom 
device, such as a pseudorandom number generator." 

Figures 1, 2, 4, 5. 


(c){l) performing a 
computation and 
incorporating the result 
of said computation in 
S£ud cryptographic 
processing, and 


3:23-53 - "The routines ROUTINE N^l , ROUTINE N, ROUTINE 
N+1 are essential sequential subroutines of a repetitive overall larger 
data processing routine, and follow the occurrence of an observable 
external event during each sequence of the overall larger routine. In 
order to pt^vent a predetermined protected routine ROUTINE N 
from being synchronized with the observable external event that 
repetitively precedes the protected routine ROUTINE N, the 
BRANCH routine 12 causes the CPU 10 to branch to the maze of m 
interim routines INTERIM ROUTINE 1, INTERIM ROUTINE 2, 
. . . , iiN J LKifvi Kuu 1 iNfc m. I ne total duration oi the m mtenm 
routines is a random variable, llie m interim routines have different 
duratioiLs. To ensure that the branch into the maze of interim routines 
is taken, some subroutine critical to the overall larger routine is 
buried inside the maze. If this subroutine is not performed, then the 
executed overall larger routine is not valuable. The critical 
subroutine is buried by breaking up the instructions in such a way 
that the histruction for the predetermined protected routine 
ROUTINE N does not reside sequentially after its preceding 
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instruction. Instead, tl^e BRANCH routine 1 2 saves the address of 
the instruction for the predetermined protected routine ROUTINE N 
in a secure memory location that cannot be accessed until after 
execution of the maze of interim routines 20, 21, 22 is competed. 
After the address of the instruction for the predetermined protected 
routine ROUTINE N is stored, the CPU 10 executes the first interim 
routine INTERIM ROUTINE 1 


(c)(2) performing a 
computation whose 
output is not 
incorporated in said 
cryptographic 
processing; and 


3:23-53 - **The routines ROUTINE N^i, ROUTINE N, ROUTINE 
N+l are essential sequential subroutines of a repetitive overall larger 
data processing routine, and follow the occurrence of an observable 
external event during each sequence of the overall larger routine. In 
order to prevent a predetermined protected routine ROUTINE N 
from being synchioriized with the observable external event that 
repetitively precedes the protected routine ROUTINE N, the 
BRANCH routine 12 causes the CPU 10 to branch to the maze of m 
interim routines INTERIM ROUTINE 1, INTERIM ROUTINE 2, 

INTERIM ROUTINE m. The total duration of the m interim 
routines is a random variable. The m interim routines have different 
durations. To ensure that the branch into the maze of interim 
routines is taken, some subroutine critical to the overall larger routine 
is buried inside the maze. If this subroutine is not performed, then 
the executed overall larger routine is not valuable. The critical 
subroutine is buri<^ by breaking up the instructions in such a way 
that the instruction for the predetennined protected routine 
ROUTINE N does not reside sequentially after its preceding 
instruction. Instead, the BRANCH routine 12 saves the address of 
the instniction for the predetermined protected routine ROUTINE N 
in a secure memor>' location that cannot be accessed until after 
execution of the maze of interim routines 20, 21, 22 is competed* 
After the address of the instruction for the predetermined protected 
routine ROUTINE N is stored, the CPU 10 executes the first interim 
routine INTERIM ROUTINE L» 

3:64-4: 16 - *'The purpose of executing the interim routines is to 
pro vide a delay of a variable duration between ROU ITNE N-1 and 
ROUTINE N. Each interim routine is a loop counter routine as 
shown in Figure 2, wherein the routine is completed once a number 

of clock cycles are counted After a START subroutine 25, the 

number of clock cycles D to be counted is loaded into a register 
implemented by the CPU 10 during a LOAD DELAY D IN R 
subroutine 27. The number of clock cycles D is a random number 
accessed from the secure RAM 24. The random clock-cycle 
numbers are provided in the different portions of the secure RAM 24 
from which the instructions for the different interim routines are 
accessed- The random clock-cycle numbers may be provided in the 
RAM 24 in response to a signal produced by a physically (truly) 
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random phenomena, such as a noisy diode, or in response to a 
pseudorandom device, such as a pseudorandom number generator." 

6:53-58 - "The n interim routines have different durations; and the 
selection and sequence of the m interim routines that are assembled 
for execution during a given data processing sequence is randomly 
varied from one sequence to the next in order to make the total 
duration of the mterim routines a random variable," 


(d) outputting said 
cryptographical ly 
processed quantity to a 
recipient thereof. 


1 : 1 1"! 4 - *The present invention generally pertains to data 
processing and is particularly directed to preventing compromise of 
secure data processing routines. . . 

1 :29'-34 - ''An 'observable external event' is defined as any internal 
state transition that manifests itself externally, including but not 
limited to a change in voltage or current at any pin or combination of 
pins which is related to or affected by internal processor execution/* 

9:3 1-35 - 'The method and system of the present invention are 
particulariy suited for implementation in a microprocessor that 
controls dcscrambling of scrambled information signals by a 
descrambler in the possession of a subscriber in a subscriber 
communication netu'ork." 

Figures 1,4. 

See also John F. Wakeriy, MICROCOMPUTER Architecfure and 
Programming; The 68000 Family, John Wiley & Sons, Inc., New 
York,! 997 at 6-7. 



Claim 24 ('661 Patent) 


5,249^94 fo GrifTm 


The method of claim 23 
where said selecting is 
performed in software. 


3:1 1-22 - "Referring to FIG, 1, in one preferred embodiment of the 
present invention, a CPU 10 executes a group of data processing 
routines ROUTINE N-1, BRANCH, ROUTINE N, TAMPER 
DETECT AND ROUTINE N+1 (respectively identified by reference 
numerals 1 1, 12, 14, 15, 16) in response to instructions (code) 
accessed from a ROM 1 8; and further executes a maze of interim 
routines INTERIM ROUTINE K INTERIM ROUTINE 2, . . . , 
INTERIM ROUTINE , (respectively identified by reference 
numerals 20, 21, 22) assembled in response to instructions accessed 
from a secure RAM 24.'' 

6:27-48 - ^'Referring to FIG, 4, in an alternative preferred 
embodiment of the present invention that requires less secure RAM 
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capacity than the preferred embodinienl of FIG. I , a CPU 44 
executes a group of data processing routines ROUTINE N-K 
BRANCH, ASSEMBLE AND EXECUTE INTERIM ROUTINES, 
ROUTINB N AND ROUTINE N-^l (respectively identified by 
reference numerals 46, 47, 48, 49> 50) in response to instructions 
(code) accessed from a ROM 5 1 , The routines ROUTINE N-1 , 
ROUTINE ROUTINE N+l are essential sequential subroutines of 
a repetitive overall larger data processing routine, and follow the 
occurrence of an externally observable event during each sequence of 
die overall larger routine. In order to prevent the routine ROUTINE 
N from being synchronized with the externally event that repetitively 
precedes the routine ROUTINE N, the BRANCH routine causes the 
CPU 44 to branch to a maze of m interim routines assembled from a 
group of n interim routines INTERIM ROUTINE I , INTERIM 
ROUTINE 2, , . , , INTERIM ROUTINE n (respectively identified 
by reference numerals 54, 55, 56) stored in the ROM 5 1 



Ctaira 25 ('661 Patent) 


U.S. 5;J49,294 to Griffin 


The method of claim 23 
where said selecting is 
performed in hardv/are 
on an integrated circuit 
including a 
microprocessor. 


3:4-7 - "The preferred embodiments of the present invention are 
implemented iaa secure microprocessor halving a seeiire memoi7, a 
nonsecure memory and a secure central processing unit.'* 

3:1 1-22 - "Referring to FIG, 1, in one preferred embodiment of the 
present invention, a CPU 10 executes a group of data processing 
routines ROUTINE N-1, BR^\NCH, ROUTINE N, TAMPER 
DETECT AND ROUTINE N-f 1 (respectively identified by reference 
numerals 1 1, 12, 14, 15, 16) in response to instructions (code) 
accessed from a ROM 1 8; and further executes a maze of interim 
routines IN'reRlM ROUTINE 1, INTERIM ROUllNE 2, . . . , 
INTERIM ROUTINE , (respectively identified by reference 
numerals 20, 21, 22) assembled in response to instructions accessed 
from a secure RAM 24," 

6:27-48 - ''Referring to FIG. 4, in an alternative preferred 
embodiment of the present invention that requires less secure RAM 
capacity than the preferred embodiment of FIG. 1 , a CPU 44 
executes a group of data processing routines ROUTINE N-l, 
BRANCH, ASSEMBLE AND EXECUTE INTERIM ROUTINES, 
ROUTINE N AND ROUTDME N^-l (respectively identified by 
reference numerals 46, 47, 48, 49, 50) in response to instructions 
(code) accessed from a ROM 51. Tlie routines ROUTINE N-l, 
ROUTINE N, ROUTINE N+1 are essential sequential subroutines of 
a repetitive overall larger data processing routine, and follow the 
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occurrence of an exiemally observable event during each sequence of 
the overall larger routine. In order to prevent Uie routine ROUTINE 
N from being synchronized with the exiemally event that repetitively 
precedes the routine ROUTrNE N, the BI^NCH routine causes the 
CPU 44 to branch to a maze of m interim routines assembled from a 
group of n interim routines INTERIM ROUTINE 1, INTERIM 
ROUTINE 2, . . . , INTERIM ROUTINE n (respectively identified 
by reference numerals 54, 55, 56) stored in the ROM 51 

9:31-35 - "The method and system of the present invention are 
particularly suited for implementation in a microprocessor that 
controls descrambling of scrambled infomiation signals by a 
descrambler in the possession of a subscriber in a subscriber 
communication network.** 



Claim 26 (*661 Patent) 


5;X49,294 to Griffm 


A method of securely 
performing a 
cryptographic processing 
operation in a manner 
resistant to discovery of 
a secret within a 
cryptographic processing 
device by external 
monitoring, comprising: 


1:11-21- "The present invention generally pertains to data 

processing and is particularly directed to preventing compromise of 

secure data processing routines by a procedure known as a *clock 

attack*. A clock aUack is a procedure by which an attacker gains 

access to secure data or code used in a predetermined data processing 

routine being executed within a secure data processor, such as a 

secure microprocessor, by determining the time of execution of the 

predetermined data processing routine in relation to occurrence of an 

observable extemal event that precedes the predetermined routine . , . 
>? 

1:29-34 - "An ^observable extemal event' is defined as any internal 
state transition that manifests itself externally, including but not 
limited to a change in voltage or current at any pin or combination of 
pins which is related to or affected by internal processor execution, 

1 :37-5 1 - ''The present invention prevents such clock attacks by 
providing a method that inhibits synchronization with externally 
generated instructions by preventing determination of the time of 
execution of a predetermined data processing routine in relation to 
occurrence of an observable external event that precedes execution of 
the predetermined routine. The method of the present invention 
includes the step of (a) randomly varying the duration between the 
occurrence of the observable extemal event and the execution of the 
predetermined routine, ' Duration* is determined by the number of 
data processing clock cycles." 
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2:37-47 - "The present invention further provides a data processing 
system, comprising means for executing a predetermined data 
processing routine, wherein a observable external event occurs in 
relation to execution of said predetenmined routine; and means for 
randomly varying the duration between the occurrence of the 
observable external event and the execution of the predetermined 
routine to thereby prevent the time of execution of the predetennined 
data processing routine from being determined in relation to the 
occurrence of the observable external event." 

3:4-22 - "The preferred embodiments of the present invention are 
implemented in a secure microprocessor having a secure memory, a 
nonsecure memory and a sectu*e central processing unit (CPU). Both 
memories may include both a random access memory (RAM) and a 
read only memor)' (ROM). The term --secure' indicates external 
inaccessibility. Referring to Figure 1, in one preferred embodiment 
of the present invention, a CPU 10 executes a group of data 
processing routines ... in response to instructions (code) accessed 
from a ROM 1 8; and further executes a maze of interim routines . . . 
assembled in response to instructions accessed from a secure RAM 
24." 

3:27-3 1 - 'in order to prevent a predetermined protected routine 
ROUTINE N from being synchronized with the observable external 
event that repetitively precedes the protected routine ROU TINE N, 
the BRANCH routine 12 causes the CPU 1 0 to branch to the maze of 
m interim routines INTERIM ROUTINE 1, INTERIM ROUTINE 2, 
INTERIM ROUTINE m." 

8:1-22 - "The interim routine of Figure 5 includes the follovving 
subroutines, START, INITIALIZATION, iTH BIT OF X - 1?, SET 
iTH BIT OF Y TO 1 , INCREMENT i, i > WORD SIZE OF 
SOURCE DATA?, DESTINA T ION DATA - Y © SOURCE 
DATA, WRITE NEW SECURE DATA, AND EXIT . . . After the 
START subroutine 72, the CPU executes the INITIALIZATION 
subroutine 73, during which a register X is loaded with the result of 
the dynamic SOURCE DATA being XORed with SECURE DATA 
accessed from a secure RAM, a register Y is set to zero, and a 
counter i is set to zero." 

9:31-35 - "llie method and system of the present invention are 
particuiariy suited for implementation in a microprocessor that 
controls descrambling of scrambled information signals by a 
dcscrambler in the possession of a subscriber in a subscriber 
communication network." 

Claim 19 - ''means for randomly vary ing the dura tion of said interim 
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routines to thereby vary the duration betv^een the occurrence of the 
externally observable event and the execution of the predetermined 
routine in order to prevent the time of execution of the predetenuined 
data processing routine from being determined in relation to the 
occurrence of the externally observable event" 


(a) receiving a quantity 
to be cryptographically 
processed, said 
quantity being 
representative of at 
least a portion of a 
message; 


1:11-14- *The present invention generally pertains to data 
processing and is particularly dinected to preventing compromise of 
secure data processing routines by a procedure known as a 'clock 

attack'." 

1 :29-34 ''An 'observable external event* is defined as any internal 
state transition that manifests itself externally, including but not 
limited to a change in voltage or current at any pin or combination of 
pins which is related to or affected by internal processor execution." 

9:3 1-35 - "The method and system of the present invention are 
particularly suited for imDiementation in a microDroce<;sor that 
controls descrambling of scrambled information signals by a 
descrambler in the possession of a subscriber in a subscriber 
communication network." 

Figures 1 , 4. 

See also John F, Wakerly, Microcomputcr Architecture and 
PROGRAMMfNG; THE 68000 Family, John Wiley & Sons, Inc. New 
York, 1997 at 6-7. 


(b) generating 
unpredictable 
information; 


3:12-22 - "CPU 10 . . . further executes a maze of interim routines . . 
. assembled in response to instructions accessed from a secure RAM 
24." 

4:7-16 - "ITie number of clock cycles D is a random number 
accessed from the secure RAM 24. The random clock-cycle 
numbers are provided in the different portions of the secure RAM 24 
from which the instructions for the different interim routines are 
accessed. The random clock-cycle numbers may be provided in the 
RAM 24 in response to a signal produced by a physically (truly) 
random phenom.ezia, such as noisy diode, or in response to a 
pseudorandom device, such as a pseudorandom number generator." 

6:53-58 - The n interim routines have different durations; and the 
selection and sequence of the m interim routines that are assembled 
for execution during a given data processing sequence is randomly 
varied from one sequence to the next in order to make the total 
duration of tlie interim routines a random variable." 
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7:8-18 'The pointers 67, 68, 69 are fixed but the selection and 
ov/^uc^ifuc ui ulc Hi puiiucib iiidi dic dccc^jvcu uunn^ d given oaia 
processing sequence is randomly varied from one overall data 
processing cycle to the next in order to make the total duration of the 
interim routines a random variable. The selection and sequence of 
the m pointers is provided during each overall data processing cycle 
in response to a signal produced by a physically (truly) random 
phenomena, such as a noisy diode, or in response to a pseudorandom 
device^ such as a pseudorandom number generator." 


(c) cryptographicaJly 
processing said 
quantity, including 
using said 
unpredictable 
information while 
processing said 
quantity to conceal a 
correlation between 
externally monitorable 
signals and said secret 


1 :29-34- "An ^observable externa] event' is defined as any internal 
state transition that manifests itself externally, including but not 
limited to a change in voltage or current at any pin or combination of 
pins which is related to or affected by interna! processor execution." 

1 :37-51 - "The present invention prevents such clock attacks by 
providing a method that inhibits synchronization with externally 
generated instructions by preventing determination of the time of 
execution of a predetermined data processing routine in relation to 
occurrence of an observable external event that precedes execution of 
the predetermined routine. The method of the present invention 
includes the step of (a) randomly varying the duration between the 
occurrence of the observable external event and the execution of the 
ptedfetennined routine, 'Duration' is determined by the number of 
data processing clock cycles.'* 

1 :54-2:2 - *'In one aspect of the present invention, step (a) includes 

the steps of (b) executing one or more interim data processing 

routines between the occurrence of the observable external event and 

the execution of the predetermined routine; and (c) randomly varying 

the duration of said interim routines. In this aspect of the invention, 

steps (b) and (c) preferably include the step of (d) randomly 

assembling m said interim routines for said execution from a group 

of n stored routines having different durations, wherein m and n are 

integers, with n being greater than It is also preferred that step (d) 

either includes the step of (e) randomly accessing said m interim 

routines from a secure memory; or the steps of (f) randomly 

accessing pointers for said m interim routines from a secure memory; 

and (q^ accessing said m interim rAnfinf*^ frnm m*»rY»r*r^/ ■»> «*AOM^m«i>A 
****** v&/ "*'V'x^*>4:?t»i^ iii itiiviiiii ivuviiiva iiuiii a iiicmury in response 

to said pointers.'' 

3:9-10- "The term 'secure' indicates external inaccessibility." 

3:23-53 ^ '^The routines ROUTINE N-1 , ROUTINE N, ROUTINE 
N-f 1 arc essential sequential subroutines of a repetitive overall larger 
data processing routine, and follow the occurrence of an observable 
external event during each sequence of the overall larger routine In 
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order lo prevent a predetermined protected routine ROUTrNE N 
from being synchronized with the observable external event that 
repetitively precedes the protected routine ROUTINE N, the 
BRANCH routine 12 causes the CPU 10 to branch to the maze of m 
interim routines INTERIM ROUTINE 1, INTERIM ROUTINE 2, 
INTERIM ROUTINE m. The total duration of the m interim 
routines is a random variable." 

3:64-4:16 "The purpose of executing the interim routines is to 
provide a delay of a variable duration between ROUTINE N-1 and 
ROUTINE N. Each interim routine is a loop counter routine as 
shown in Figure 2, wherein the routine is completed once a number 

of clock cycles are counted After a START subroutine 25, the 

number of clock cycles D to be counted is loaded into a register 
implemented by the CPU 10 during a LOAD DELAY D IN R 
subroutine 27. The number of clock cycles D is a random number 
accessed from the secure RAM 24, The random clock-cycle 
numbers are provided in the different portions of the secure RAM 24 
from which the instructions for the different interitn routines are 
accessed The random clock-cycle numbers may be provided in the 
RAM 24 in response to a signal produced by a physically (truly) 
random phenomena, such as a noisy diode, or in response lo a 
pseudorandom device, such as a pseudoratidom number generator." 

6:53-58 - "The n interim routines have different durations; and the 
selection and sequence of the m interim routines that are assembled 
for execution during a given data processing sequence is randomly 
varied from one sequence to the next in order to make the total 
duration of the interim routines a random variable." 

7:8-18 - "The pointers 67, 68, 69 are fixed but the selection and 
sequence of the m pointers that are accessed during a given data 
processing sequence is randomly varied from one overall data 
processing cycle to the next in order to make the total duration of the 
interim routines a random variable. The selection and sequence of 
the m pointers is provided during each overall data processing cycle 
in response to a signal produced by a physically (truly) random 
phenomena, such as a noisy diode, or in response to a pseudorandom 
device* such as a oseudorandom number aeneratnr " 

Figures 1,2,4,5, 


by selecting a code 
process from a 
plurality of code 
processes, where said 
selected code process 


1:54-2:2 - "In one aspect of the present invention, step (a) includes 
the steps of (b) executing one or more interim data processing 
routines between the occurrence of the observable external event and 
the execution of the predetermined routine; and (c) randomly varying 
the duration of said interim routines. In this aspect of the invention 
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is involved in said 

cryptographic 

processing. 



steps (b) and (c) preferably include the step of (d) randomly 
assembling m said interim routines for said execution from a group 
of n stored routines having different durations, wherein m and n are 
integers, with n being greater than m. It is also preferred thai step (d) 
either includes the step of (c) randomly accessing said m interim 
routines from a secure memory; or the steps of (^0 randomly 
accessing pointers for said m interim routines from a secure memory; 
and (g) accessing said m interim routines from a memory in response 
to said pointers.'* 

3:23-53 ~ "The rouUnes ROUTINE N~ K ROUTINE N, ROUTINE 
N+l are essential sequential subroutines of a repetitive overall larger 
data processing routine, and follow the occurrence of an externally 
observable event during each sequence of the overall larger routine. 
In order to prevent a predetermined protected routine ROUTINE N 
from being synchronized with the externally observable event that 
repetitively precedes the protected routine ROUTINE N, the 
BRANCH routine 12 causes the CPU 10 to branch to the maze of m 
interim routines INTERIM ROUTINE 1 , INTERIM ROUTINE 2, . . 
. , INTERIM ROUTINE m. The total duration of the m interim 
routines is a random variable* The m interim routines have different 
durations. To ensure that the branch into the maze of interim 
routines is taken, some subroutine critical to the overall larger routine 
is buried inside the maze. If this subroutine is not performed, then the 
executed overall larger routine is not valuable. The critical 
subroutine is buried by breaking up the instructions in such a way 
that the instruction for the predetermined protected routine 
ROUTINE N does not reside sequentially after its preceding 
instruction. Instead, the BRANCH routine 12 saves the address of the 
instruction for the predetermined protected routine ROUTINE N in a 
secure memory location that cannot be accessed until after execution 
of the maze of interim routines 20, 21, 22 is completed. After the 
address of the instruction for the predetermined protected routine 
ROUTINE N is stored, the CPU 10 executes the first interim routine 
INTERIM ROUTINE K" 

3:64-4:16 - ''ITie purpose of executing the interim routines is to 
provide a delay of a variable duration between ROUTINE N-1 and 
ROUTINE N. Each interim routine is a loop counter routine as 
shown in Figure 2, wherein the routine is completed once a number 

of clock cycles are counted A fter a START subroutine 25, the 

number of clock cycles D to be counted is loaded into a register 
implemented by the CPU 10 during a LOAD DELAY D IN R 
subroutine 27. The number of clock cycles D is a random number 
accessed from the secure RAM 24. The random clock-cycle 
numbers are provided in the di fferent portions of the secure RAM 24 
from which the instructions for the different interim routines are 
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accessed. The random clock-cycle numbers may be provided in the 
RAM 24 in response to a signal produced by a physically (truly) 
random phenomena, such as a noisy diode, or in response to a 
pseudorandom device, such as a pseudorandom number generator." 


bul where the value of 
said outpulted quantity 
is independent of 
which of said code 
processes was selected; 
and 


3:41-53 - "The critical subroutine is buried by breaking up the 
instructions in such a way that the instruction for the predetermined 
protected routine ROUTINE N does not reside sequentially after its 
preceding instruction. Instead, the BRANCH routine 12 saves the 
address of the instruction for the predetermined protected routine 
ROUTINE N in a secure memory location that cannot be accessed 
until after execution of the maze of interim routines 20, 2 1 , 22 is 
completed. After the address of the instruction for the predetermined 
protected routine ROUTINE N is stored, the CPU 10 executes the 
first interim routine INTERIM ROUTINE 1 

6: 1 -6 ~ "Upon completing execution of the maze of interim routines, 
the CPU 10 executes the protected routine ROUTINE N after 
accessing the address of the instruction of the protected routine 
ROUTINE N, which was saved by the CPU 1 0 when the CPU 
executed the BRANCH routine 12." 

7:65-68 - "The interim routine of Figure 5 is executed between each 
occurrence of the observable external event and the execution of the 
predetermined protected routine." 

9:18-22 - '"The interim routine of Figure 5 need not be executed in 
combination with other interim routines and may be incorporated 
into an overall larger data processing routine an>lime critical data 
needs to be moved from one location (source) to another location 
(destination)/' 

Figure 5. 


(d) outputting said 
cryptographically 
processed quantity to a 
recipient thereof. 


1:11-14- 'The present invention generally pertains to data 
processing and is particularly directed to preventing compromise of 
secure data processing routines " 

1 :29-34 - **An 'observable external event' is defined as any internal 
state transition that manifests itself externally, including but not 
limited to a change in voltage or current at any pin or combination of 
pins which is related to or affected by internal processor execution." 

9:3 1 -35 - "'The method and system of the present invention are 
particularly suited for implementation in a microprocessor that 
conuols descrambling of scrambled information signals by a 
descrambler in the possession of a subscriber in a subscriber 
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communication network." 




Figures 1, 4. 




* 

See also John F, Wakerly, MfCROCOMPUTER ARCHfTECfURE and 
Programming; The 68000 Family. John Wiley & Sons, Inc, New 
York, 1997 at 6-7. 



Claiin 27 C661 Patent) 


U.S. 5,249;294 to Griffin 


A method of securely 
performing a 
cryptographic processing 
operation including a 
sequence of instructions 
in a manner resistant to 
discovery of a secret 
within a cryptographic 
processing device by 
external monitoring, 
comprising: 


1:1 1-22 - "The present invention generally pertains to data 
processing and is particularly directed to preventing compromise of 
secure data processing routines by a procedure knovm as a *cIock 
attack'. A clock attack is a procedure by which an attacker gains 
access to secure data or code used in a predetermined data processing 
routine being executed within a secure data processor, such as a 
secure microprocessor, by determining the time of execution of the 
prcdetennined data processing routine in relation to occurrence of an 
observable external event that precedes the predetermined routine . • . 

1 :29-34 - "An 'observable external event' is defined as any internal 
state transition that manifests itself externally, including but not 
limited to a change in voltage or current at any pin or combination of 
pins which is related to or affected by intenial processor execution.** 

2:37-47 - "The present invention further provides a data processing 
system, comprising means for executing a predetermined data 
processing routine, wherein a observable external event occurs in 
relation to execution of said predetermined routine; and means for 
randomly varying the duration between the occurrence of the 
observable external event and the execution of the predetermined 
routine to thereby prevent the time of execution of the predetermined 
data processing routine from being determined in relation to the 
occurrence of the observable external event'' 

3:4-22 - "The preferred embodiments of the present invention are 
implemented in a secure microprocessor having a secure memory, a 
nonsecure memory and a secure centra! processing unit (CPU). Both 
memories may include both a random access memory (RAM) and a 
read only memory (ROM). The term --secure" indicates external 
inaccessibility. Referring to Figure 1, in one preferred embodiment 
of the present invention, a CPU 1 0 executes a group of data 
processing routines ... in response to instructions (code) accessed 
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from a ROM 1 8; and further executes a maze of interim routines . . . 
assembled in response to instructions accessed from a secure RAM 
24." 

3:27-31 - "In order to prevent a predetermined protected routine 
ROUTINE N from being synchronized with the observable external 
event that repetitively precedes the protected routine ROUTINE N, 
the BRANCH routine 12 causes the CPU 10 to branch to the maze of 
m interim routines INTERIM ROUTINE 1, INTERIM ROUTINE 2, 
INTERIM ROUTINE m." 

8: 1 -22 - "The interim routine of Figure 5 includes the following 
subroutines, START, INITIALIZATION, iTH BIT OF X - 1?, SET 
iTH BIT OF Y TO 1, INCREMENT i, i > WORD SIZE OF 
SOURCE DATA?, DESTINATION DATA -Ye SOURCE 
DATA, WRITE NEW SECURE DATA, AND EXIT . . . .After the 
START subroutine 72, the CPU executes the INITIALIZATION 
subroutine 73, during which a register X is loaded with the result of 
the dynamic SOURCE DATA being XORed with SECURE DATA 
accessed from a secure RAM, a register Y is set to zero, and a 
counter i is set to zero." 

9:3 1-35 - "The method and system of the present invention are 
particularly suited for implementation in a microprocessor that 
conurols descrambling of scrambled information signals by a 
descrambler in the possession of a subscriber in a subscriber 
communication network,^ 

Claim 19 - "means for randomly varying the duration of said interim 
routines to thereby vary the duration between the occurrence of the 
externally observable event and the execution of the predetermined 
routine in order lo prevent the time of execution of the predetermined 
data processing routine from being determined in relation to tlie 
occurrence of the externally observable event" 


(a) receiving a quantity 
to be cryptographically 
processed^ said 
quantity being 
representative of at 
least a portion of a 
message; 


1:11-14- "The present invention generally pertains to data 
processing and is particularly directed to preventing compromise of 
secure data processing routines 

1 :29-34 - ''An 'observable external event' is defined as any internal 
state transition that manifests itself externally, including but not 
limited to a change in voltage or current at any pin or combination of 
pins which is related to or affected by internal processor execution." 

9:3 1 -35 - *'The method and system of the present invention are 
particularly suited for implementation in a microprocessor that 
controls descrambling of scrambled information signals bv a 
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descrambler in the possession of a subscriber in a subscriber 
communication network/* 

Figures 1,4. 

See also John F. Wakerly, Mjcrocomputer Archi'I bcturb and 
Programming; The 68000 Family, John Wiley & Sons, Inc., New 
York, 1997 at 6-7. 


(b) genierating 
unpredictable 
mfonnation; 


3:12-22 - "CPU 10 . . . fiuiher executes a maze of interim routines , . 
. assembled in response to instructions accessed from a secure RAM 

4:7-16 ~ "The number of clock cycles D is a random number 
accessed from the secure RAM 24. The random clock-cycle 
numbers are provided in the different portions of the secure RAM 24 
from which the instructions for the different interim routines are 
accessed. The random clock-cycle numbers may be provided in the 
RAM 24 in response to a signal produced by a physically (truly) 
random phenomena, such as noisy diode, or in response to a 
pseudorandom device, such as a pseudorandom number generator/* 

6:53-58 - 'The n interim routines have different durations; and the 
selection and sequence of the m interim routines that are assembled 
for execution during a given data processing sequence is randomly 
varied from one sequence to the next in order to make the total 
duration of the interim routines a random variable/' 

7:8-1 8 - **Thc pointers 67, 68, 69 are fixed but the selection and 
sequence of the m pointers that are accessed during a given data 
processing sequence is randomly varied from one overall data 
processing cycle to the next in order to make the total duration of the 
interim routines a random variable. The selection ^d sequence of 
the m pointers is provided during each overall data processing cycle 
in response to a signal produced by a physically (truly) random 
phenomena, such as a noisy diode, or in response to a pseudorandom 
device, such as a pseudorandom number generator." 


(c) using said 
unpredictable 
information while 
processing said 
quantity to conceal a 
correlation between 
externally monitorable 
signals and said secret 
by using said 


1 :29-34 ~ "An 'observable external event' is defined as any internal 
state transition that manifests itself externally, including but not 
limited to a change in voltage or current at any pin or combination of 
pins which is related to or affected by internal processor execution. 

1:37-51 - ''llic present invention prevents such clock attacks by 
providing a method that inhibits synchronization with externally 
generated instructions by preventing determination of the time of 
execution of a predetennnined data processing routine in relation to 
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unpredictable 
information to raodily 
said sequence; and 



occurrence of an obser\'able external event that precedes execution of 
the predetermined routine. The method of the present invention 
includes the step of (a) randomly varying the duration between the 
occurrence of the observable external event and the execution of the 
predetenmined routine. ^Duration' is determined by the number of 
data processing clock cycles." 

1 :54"2:2 "In one aspect of the present invention, step (a) includes 
the steps of (b) executing one or more interim data processing 
routines between the occurrence of the observable external event and 
the execution of the predetermined routine; and (c) randomly varying 
the duration of said interim routines. In this aspect of the invention, 
steps (b) and (c) preferably include the step of (d) randomly 
assembling m said interim routines for said execution from a group 
of n stored routines having diflfcrent durations, wherein m and n are 
integers, with n being greater than m. It is also preferred that step (d) 
either includes the step of (c) randomly accessing said m interim 
routines from a secure memory; or the steps of (f) randomly 
accessing pointers for said m interim routines from a secure memory; 
and (g) accessing said m interim routines from a memory in response 
to said pointers." 

3:9-10 -"The term ^secure' indicates external inaccessibility." 

3:23 53 ~ "The routines ROU nNEN-l, ROUTINE N, ROUTINE 
N f 1 are essential sequential subroutines of a repetitive overall larger 
data processing routine, and follow the occurrence of an observable 
external event during each sequence of the overall larger routine. In 
order to prevent a predetermined protected routine ROUTINE N 
from being synchronized with the observable external event that 
repetitively precedes the protected routine ROUTINE N, the 
BRANCH routine 12 causes the CPU 10 to branch to llie maze of m 
interim routines INTERIM ROUTINE I, INTERIM ROUTINE 2, 

INTERIM ROUTINE m. The total duration of the m interim 
routines is a random variable." 

3:64-4: 16 - "The purpose of executing the interim routines is to 
provide a delay of a variable duration between ROUTINE N-1 and 
ROUTINE N. Each interim routine is a loop counter routine as 
shown J n Figure 2, wherein the routine is completed once a number 
of clock cycles are counted. . . . After a START subroutine 25, the 
number of clock cycles D to be counted is loaded into a register 
implemented by the CPU 10 during a LOAD DELAY D IN R 
subroutine 27. The number of clock cycles D is a random number 
accessed from the secure RAM 24. The random clock-cycle 
nujnbcrs arc provided in the different portions of the secure RAM 24 
from which the instructions for the different interim routines are 
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accessed. The random clock-cycle numbers may be provided in the 
RAM 24 in response to a signal produced by a physically (truly) 
random phenomena, such as a noisy diode, or in response to a 
pseudorandom device, such as a pseudorandom number generator." 

6:53-58 ~ "The n interim routines have different durations; and the 
selection and sequence of the m interim routines that are assembled 
for execution during a given data processing sequence is randomly 
varied from one sequence to the next in order to make the total 
duration of the interim routines a random variable/' 

7:8-18- "The pointers 67, 68, 69 are fixed but the selection and 
^vi|uvuuv VI iiiv III puijuvi5 ui£u oiv awwcoowU uunng a givcn uaia 
processing sequence is randomly varied firom one overall data 
processing cycle to the next in order to make the total duration of the 
interim routines a random variable. The selection and sequence of 
the m pointers is provided during each overall data processing cycle 
in response to a signal produced by a physically (truly) random 
phenomena, such as a noisy diode, or in response to a pseudorandom 
device, such as a pseudorandom number generator/' 


(d) outputting said 
cryptographically 
processed quantity to a 
recipient thereof. 


1:11-14- "The present invention generally pertai ns to data 
processing and is particularly directed to preventing compromise of 
secure data processing xoutinies " 

1 !29-34 - "An 'observable external event' is defined as any internal 
state transition that manifests itself externally, including but not 
limited to a change in voltage or current at any pin or combination of 
pins which is related to or affected by internal processor execution." 

9:31-35 - "The method and system of the present invention are 
particularly suited for implementation in a microprocessor that 
controls descrambling of scrambled information signals by a 
descrambler in the possession of a subscriber in a subscriber 
communication network.'* 

Figures 1, 4. 

See also John F. Wakeriy, MiCROCOMPUrER Akchi tecturb AND 
Programming; The 68000 Family, John Wiley & Sons, Inc., New 
York, 1997 at 6-7. 



Claim 29 (*661 Patent) 


U.S. 5,249,294 to Griffin 


A method of securely 


1 : 1 1-22 ~ *The present invention generally pertains to data 
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performing a 
cryptographic processing 
operation in a manner 
resistant to discovery of 
a secret within a 
cryptographic processing 
device by external 
monitoring of said 
device*s power 
consumption, 
comprising: 



processing and is particularly directed to preventing compromise of 
secure data processing routines by a procedure known as a *clock 
attack'. A clock attack is a procedure by which an attacker gains 
access to secure data or code used in a predetermined data processing 
routine being executed within a secure data processor, such as a 
secure microprocessor, by determining the time of execution of the 
predetermined data processing routine in relation to occurrence of an 
observable external event that precedes the predetermined routine . . . 



1 :29-34 ~ "An 'observ'able external event' is defined as any internal 
state transition that manifests itself externally, including but not 
limited to a change in voltage or current at any pin or combination of 
pins which is related to or affected by internal processor execution.'* 

1 :37-5 1 - "The present invention prevents such clock attacks by 
providing a method that inhibits synchronization with externally 
generated instructions by preventing determination of tlie time of 
execution of a predetermined data processing routine in relation to 
occurrence of an observable external event that precedes execution of 
the predetermined routine. The method of the present invention 
includes the step of (a) randomly varying the duration between the 
occurrence of the observable external event and the execution of the 
predetermined routijoe, 'Duration' is determined by th(5 number of 
data processing clock cycles." 

2:37-47 - "The present invention further provides a data processing 
system, comprising means for executing a predetermined data 
processing routine, wherein a observable external event occurs in 
relation to execution of said predetermined routine; and means for 
randomly varying the duration between the occurrence of the 
observable external event and the execution of the predetermined 
routine to thereby prevent the time of execution of the predetermined 
data processing routine from being determined in relation to the 
occurrence of the observable external event." 

3:4-22 - *The preferred embodiments of the present invention are 
implemented in a secure microprocessor having a secure memory, a 
nonsecure memory and a secure central processing unit (CPU). Both 
memories may include both a random access memory (RAM) and a 
read only memory (ROM). The term -secure* indicates external 
inaccessibility. Referring to Figure 1 , in one preferred embodiment 
of the present invention, a CPU 1 0 executes a group of data 
processing routines ... in response to instructions (code) accessed 
from a ROM 18; and further executes a maze of interim routines 
assembled in response to instructions accessed from a secure RAM 
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24." 

3:27-31 - "In order to prevent a predetermined protected routine 
ROUTINE N from being synchronized with the observable external 
event that repetitively precedes the protected routine ROUTINE N, 
the BRANCH routine 12 causes the CPU 10 to branch to the maze of 
m interim routines INTERIM ROUTINE 1, INTERIM ROUTINE 2, 
.... INTERIM ROUTINE m/' 

8:1-22 - "The interim routine of Figure 5 includes the following 
subroutines, START, INITIAUZATION, iTH BIT OF X - 1?, SET 
iTH BIT OF Y TO 1, INCREMENT i, i > WORD SIZE OF 
SOURCE DATA?, DESTINATION DATA - Y ® SOURCE 
DATA, WRITE NEW SECURE DATA, AND EXIT . . . After the 
START subroutine 72, the CPU executes the INITIALIZATION 
subroutine 73, during which a register X is loaded with the result of 
the dynamic SOURCE DATA being XORed with SECURE DATA 
accessed from a secure RAM, a register Y is set to zero, and a 
counter i is set to zero/' 

9:3 1 -34 - ''The method and system of the present invention are 
particularly suited for implementation in a microprocessor that 
controls descrambh'ng of scrambled information signals by a 
descrambler in the possession of a subscriber in a subscriber 
communication network/* 

Claim 1 9 - ''means for randomly varying the duration of said interim 
routines to thereby vary the duration between the occurrence of the 
externally observable event and the execution of the predetermined 
routine in order to prevent the time of execution of the predetermined 
data processing routine from being detenmined in relation to the 
occurrence of the externally observable event*' 


(a) receiving a variable 
amount of power^ said 
power consumption 
varying measurably 
during said 
performance of said 
operation; 


1 :29-34 ~- *V\n 'observable external event' is defined as any internal 
state transition that manifests itself externally, including but not 
limited to a change in voltage or current at any pin or combination of 
pins which is related to or affected by internal processor execution.*' 

2:39-47 ~ 'The present invention further provides a data processing 
system, comprising means for executing a predetermined data 
processing routine, wherein a [sic] observable extemal event occurs 
in relation to execution of said predetermined routine; and means for 
randomly varj'ing the duration between the occurrence of the 
observable external event and the execution of the predetermined 
routine lo thereby prevent the time of execution of the predetermined 
data processing routine from being determined in relation to the 
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occurrence of the observable external event." 

9:18-23 - ''The interim routine of Figure 5 need not be executed in 
combination with other interim routines and may be incorporated 
into an overall larger data processing routine anytime critical data 
needs to be moved from one location (source) to another location 
(destination)." 


(b) rcceivihg a quantity 
to be cryptographically 
processed, said 
quantity being 
representative of at 
least a portion of a 
message; 


1:11-14- "ITie present invention generally pertains to data 
processing and is particularly directed to preventing compromise of 
secure data processing routines by a procedure known as a 'clock 
attack*." 

3:1 1-17 - "Referring to Figure 1, in one preferred embodiment of the 
present invention, a CPU 10 executes a group of data processing 
routines ... in response to instructions (code) accessed from a ROM 
18..,." 

9:3 1-35 - " The method and system of the present invention are 
particularly suited for implementation in a microprocessor that 
controls descrambling of scrambled information signals by a 
descrambler in the possession of a subscriber in a subscriber 
communication network," 

See also John F. Wakerly, MICROCOMPUTER ARCHITECTURE and 
PROGRAMMnsG; THE 68000 Family, John Wiley & Sons, Inc., New 
York, 1997 at 6-7, 


(c) introducing noise 
into said measurement 
of said power 
consumption while 
processing said 
quantity; and 


1 :54-2:2 - 'Mn one aspect of the present invention, step (a) includes 
the steps of (b) executing one or more interim data processing 
routines between the occurrence of the observable external event and 
the execution of the predetermined routine; and (c) randomly varying 
the duration of said interim routines. In this aspect of the invention, 
steps (b) and (c) preferably include the step of (d) randomly 
assembling m said interim routines for said execution from a group 
of n stored routines having different durations, wherein m and n are 
integers, with n being greater than m. It is also preferred that step (d) 
either includes the step of (e) randomly accessing said m interim 
routines from a secure memory; or the steps of (f) randomly 
accessing pointers for said m interim routines from a secure, memory; 
and (g) accessing said m interim routines from a memory in response 
to said pointers," 

3:23-53 ^ "The routines ROUTINE N-1 , ROUTINE N, ROUTINE 
N-M are essential sequential subroutines of a repetitive overall larger 
data processing routine, and follow the occurrence of an observable 
external event during each sequence of the overall larger routine. In 
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order to prevent a predetermined protected routine ROUTIME N 
from being synctironized with the observable external event that 
repetitively precedes the protected routine ROUITNE N, the 
BRANCH routine 12 causes the CPU 10 to branch to the maze of ra 
interim routines INTERIM ROUTINE 1, INTERIM ROUTINE 2, 
INTERIM ROUTINE m. The total duration of the m interim 
routines is a randocn variable/' 

3:64-4:6 - "The purpose of executing the interim routines is to 
provide a delay of a variable duration between ROUTINE N-l and 
ROUTINE N. Each interim routine is a loop counter routine as 
shown in Figure 2, wherein the routine is completed once a number 

of clock cycles are counted After a START subroutine 25, the 

number of clock cycles D to be counted is loaded into a register 
implemented by the CPU 10 during a LOAD DELAY D IN R 
subroutine 27 " 

4:7-1 6 - 'The number of clock cycles D is a random number 
accessed from ihe secure RAM 24. The random clock-cycle 
numbers are provided in the different portions of the secure RAM 24 
from which the instructions for the different interim routines are 
accessed. The random clock-cycle numbers may be provided in the 
RAM 24 in response to a signal produced by a physically (truly) 
random phenomena, such as a noisy diode, or in response to a 
pseudorandom device, such as a pseudorandom number generator/* 

6:53-58 - "The n interim routines have different durations; and the 
selection and sequence of the m interim routines that are assembled 
for execution during a given data processing sequence is randomly 
varied from one sequence to the next in order to make the total 
duration of the interim routines a random variable." 

7:8-1 8 - *'TTie pointers 67, 68, 69 are fixed but the selection and 
sequence of the m pointers that are accessed during a given data 
processing sequence is randomly varied from one overall data 
processing cycle lo the next in order to make the total duration of the 
interim routines a random variable. The selection and sequence of 
the m pointers is provided during each overall data processing cycle 
in response to a signal produced by a physically (truly) random 
phenomena, such as a noisy diode, or in response to a pseudorandom 
device, such as a pseudorandom number generator." 
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(<t) outpuUing said 1:11-14- ''The present invention generally pertains to data 

cryptographically processing and is panicuJarly directed to preventing compromise of 

processed quantity to a secure data processing routines. . . 
recipient thereof. 

1 :29-34 - "An ^observable external event* is defined as any internal 
state transition that manifests itself externally, including but not 
limited to a change in voltage or current at any pin or combination of 
pins which is related to or afTected by internal processor execution." 

9:31-35 - "The method and system of the present invention are 
particularly suited for implementation in a microprocessor that 
controls descrambling of scrambled information signals by a 
dcscrambler in the possession of a subscriber in a subscriber 
communication network." 

Figures 1,4. 

See also John F. Wakerly, Microcomputer Architecture and 
Programming; The 68000 Family, John Wiley & Sons, Inc., New 
York, 1997 at 6-7, 



Claim 30 ('661 Patent) 


VS. 5,249^X94 to Griffin 


The method of claim 29 
wherein said step of 
introducing noise 
comprises: (a) 
generating initial noise 
having a randpm 
characteristic; 


8:60-9:5 "The total duration of the interim routine of FIG. 5 is 
dependent upon the number of ONE bits loaded into the X register 
during the INITIALIZAI ION subroutine 73, since the SET iTH BIT 
OF X TO 1 subroutine 75 is executed only when the ith bit of the X 
register equals ONE. Thus the range of variation in the duration of 
the interim routine of FIG. 5 is the number of clock cycles required 
for the subroutine 75 times the number of bit positions in the X 
register Since the number of limes that the subroutine 75 is executed 
is dependent upon the content of the dynamically processed source 
data and the secure data in the RAM, the total duration of the interim 
routine of FIG. 5 is a random variable that is unknown to the 
observer." 


(b) improving the 
random characteristic of 
said initial noise; and 


9:6-16 - "The randomness of the the total duration of the interim 
routine of FIG, 5 is further compounded by execution of the WRITE 
NEW SECURE DATA subroutine 79, which changes the secure dat^ 
in the RAM that is accessed during the INm ALIZATION 
subroutine 73, so that each time the interim routine of FIG. 5 is 
executed, such secure data may be different. The secure data may be 
provided in the RAM in response to a signal produced by a 
physically (truly) random phenomena, such as a noisy diode, or in 
response to a pseudorandom device, such as a pseudorandom number 
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generator/* 


(c) varying said power 
consumption based on 
said imDroved initial 
noise. 


9:6-16 - *'The randomness of the the total duration of the interim 
routine of FIG. 5 is further compounded by execution of the WRITE 
NEW SRCIJRH Data <?ubroutine 7Q which chanpe<; the secure datA 
in the RAM that is accessed during the INITIALIZATION 
subroutine 73, so that each time the interim routine of FIG. 5 is 
executed, such secure data may be diflferent. The secure data may be 
provided in the RAM in response to a signal producwl by a 
physically (tnily) random phenomena, such as a noisy diode, or in 
response to a pseudorandom device, such as a pseudorandom numter 
generator.'' 
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